SharePoint Farm

Complete the following fields:

Option Description

Specify SharePoint farm for monitoring

Enter the SharePoint Central Administration website URL.

Specify the account for collecting data

Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select Custom account and enter credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions and access rights as the default account used for data collection. See Data Collecting Account for more information.

Core Service

Deploy Netwrix Auditor for SharePoint Core Service

Select deployment method for the Core Service. Select one of the following:

NOTE: During the Netwrix Auditor for SharePoint Core Service installation / uninstallation your SharePoint sites may be unavailable.


Audit SharePoint farm configuration changes

Configuration changes are always audited.

Audit SharePoint permissions and content changes

Select change types to be audited with Netwrix Auditor.

Netwrix Auditor allows auditing the entire SharePoint farm. Alternatively, you can limit the auditing scope to separate web applications and site collections. To do it, select Specific SharePoint objects and do one of the following:

  • Click Add, provide the URL to web application or site collection and select object type (Web application or Site collection).
  • Click Import, select object type (Web application or Site collection), encoding type, and browse for a file that contains a list of web applications and sites.

NOTE: Netwrix Auditor ignores changes to system data (e.g., hidden and system lists or items are not audited). Netwrix Auditor also ignores the content changes to sites and objects on the site collections located on Central Administration web application, but the security changes that occurred there are tracked and reported anyway.


Specify monitoring restrictions

Specify restriction filters to narrow your SharePoint monitoring scope (search results, reports and Activity Summaries). For example, you can exclude site collections document libraries and lists from being audited as they contain public non sensitive data. All filters are applied using AND logic. Click Add and complete the following fields:

  • User – provide the name of the user as shown in the "Who" column of reports and Activity Summaries. Example: mydomain\user1.

  • Object URL – provide URL of the objects as shown in the "What" column of reports and Activity Summaries. Example: http://sitecollection/list/document.docx.
  • Action Type – select what types of actions performed by selected users under the object you want to monitor. Available values: All, Changes, Reads.

NOTE: You can use a wildcard (*) to replace any number of characters in filters.

TIP: In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files. Review the following for more information: Exclude Objects from Monitoring Scope

Read Access

Audit SharePoint read access

Configure Netwrix Auditor to track read access to lists and list items within your SharePoint farm except for Central Administration web sites. Select Sites only if you want to enable read access auditing on SharePoint sites only. Enable Sites and subsites to track read access on each subsite. Then, do one of the following:

  • Click Add and provide URL to a SharePoint site.
  • Click Import, select encoding type, and browse for a file that contains a list of sites.

NOTE: Read access auditing significantly increases the number of events generated on your SharePoint and the amount of data written to the AuditArchive.