Windows Server

Complete the following fields:

Option Description

Monitor this data source and collect activity data

Enable monitoring of the selected data source and configure Netwrix Auditor to collect and store audit data.

Monitor changes to system components

Select the system components that you want to audit for changes. Review the following for additional information:
  • General computer settings—Enables auditing of general computer settings. For example, computer name or workgroup changes.
  • Hardware—Enables auditing of hardware devices configuration. For example, your network adapter configuration changes.
  • Add/Remove programs—Enables auditing of installed and removed programs. For example, Microsoft Office package has been removed from the audited Windows Server.
  • Services—Enables auditing of started/stopped services. For example, the Windows Firewall service stopped.
  • Audit policies—Enables auditing of local advanced audit policies configuration. For example, the Audit User Account Management advanced audit policy is set to "Failure".
  • DHCP configuration—Enables auditing of DHCP configuration changes.
  • Scheduled tasks—Enables auditing of enabled / disabled / modified scheduled tasks. For example, the GoogleUpdateTaskMachineUA scheduled task trigger changes.
  • Local users and groups—Enables auditing of local users and groups. For example, an unknown user was added to the Administrators group.
  • DNS configuration—Enables auditing of your DNS configuration changes. For example, your DNS security parameters' changes.
  • DNS resource records—Enables auditing of all types of DNS resource records. For example, A-type resource records (Address record) changes.
  • File shares—Enables auditing of created / removed / modified file shares and their properties. For example, a new file share was created on the audited Windows Server.
  • Removable media—Enables auditing of USB thumb drives insertion.

Specify data collection method

You can enable network traffic compression. If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance.

Configure audit settings

You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary.

NOTE: This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed.

Do not select the checkbox if you want to configure audit settings manually. For a full list of audit settings required to collect comprehensive audit data and instructions on how to configure them, refer to Configure IT Infrastructure for Auditing and Monitoring.

Collect data for state-in-time reports

Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation.See State–in–Time Reports for more information.

In the Manage historical snapshots section, you can click Manage and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past.

NOTE: You must be assigned the Global administrator or the Global reviewer role to import snapshots.

Move the selected snapshots to the Snapshots available for reporting list using the arrow button.

NOTE: The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Only the latest snapshot is available for reporting in Netwrix Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database.


Specify monitoring restrictions

Specify restriction filters to narrow your Windows Server monitoring scope (search results, reports and Activity Summaries). For example, you can exclude system activity on a particular objects on all computers. All filters are applied using AND logic. Click Add and complete the following fields:

  • User who initiated the change: – provide the name of the user whose changes you want to ignore as shown in the "Who" column of reports and Activity Summaries. Example: mydomain\user1.

    TIP: You can provide the "System" value to exclude events containing the “System” instead of an account name in the “Who” column.

  • Windows Server which setting was changed: – provide the name of the server in your IT infrastructure whose changes you want to ignore as shown in the "What" column of reports and Activity Summaries. Example: winsrv2016-01.mydomain.local.
  • Setting changed: – provide the name for unwanted settings as shown in the "What" column in reports and Activity Summaries. Example: System Properties*.

NOTE: You can use a wildcard (*) to replace any number of characters in filters.

TIP: In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files. Review the following for more information: Exclude Objects from Monitoring Scope

Review your data source settings and click Add to go back to your plan. The newly created data source will appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add Items for Monitoring for more information.