Netwrix Auditor features built-in components intended for auditing popular applications, infrastructure servers, and storage systems. It also provides RESTful API for leveraging data from custom systems that are not yet supported as data sources out of the box. Netwrix Auditor architecture and components interactions are shown in the figure below.
Netwrix Auditor Server — the key part of Netwrix Auditor that conducts audit data collection, transfer and processing. It comprises several components responsible for gathering audit trails from the variety of data sources (audited systems).
Integration API — a RESTful API that allows you to collect data from custom data sources (those not yet supported out of the box), to access and analyze that data, as well as to integrate your existing SIEM solution with Netwrix Auditor.
Data sources — entities that represent the types of audited systems supported by Netwrix Auditor (for example, Active Directory, Exchange Online, NetApp filer, and so on), or the areas you are interested in (for example, Group Policy, User Activity, and so on).
Long-Term Archive — a file-based repository storage intended to keep data in a compressed format for a long period of time (default retention period is 120 months). It can store audit data collected by Netwrix Auditor or imported using Integration API.
Audit database — Microsoft SQL Server database. It is used as an operational storage intended for browsing recent data, running search queries, generating reports and alerts. Default retention period for this data is 180 days. Usually, data collected from the certain data source (for example, Exchange Server) is stored to the archive and to the dedicated Audit database. Therefore, there can be as many databases as the data sources you want to process.
Netwrix Auditor Client — a component that provides a friendly interface to authorized personnel who can use this console UI to manage Netwrix Auditor settings, examine alerts, reports and search results. Other users can obtain audit data by email or with 3rd party tools — for example, reports can be provided to the management team via the intranet portal.
General workflow stages are as follows:
- Authorized administrators prepare IT infrastructure and data sources they are going to audit, as recommended in Netwrix Auditor documentation and industry best practices; they use Netwrix Auditor client (management UI) to set up automated data processing.
- Netwrix Auditor collects audit data from the specified data source (application, server, storage system, and so on).
To provide a coherent picture of changes that occurred in the audited systems, Netwrix Auditor is capable of consolidating data from multiple independent sources (event logs, configuration snapshots, change history records, etc.). This capability is implemented with Netwrix Auditor Server and Integration API.
NOTE: For details on custom data source processing workflow, refer to the Integration API documentation.
- Audit data is stored to the Audit database and the repository (Long-Term Archive) and preserved there according to the corresponding retention settings.
- To enable historical data analysis, Netwrix Auditor can extract data from the repository and import it to the Audit database, where it becomes available for search queries and report generation.
- To report and alert on the events and configuration changes, Netwrix Auditor offers the variety of predefined SSRS-based reports, built-in alerts and dashboards. They can be accessed by authorized users via Netwrix Auditor client UI. Other users can obtain the data they need via email or 3rd party tools.