Netwrix Auditor delivers comprehensive auditing of a broad range of systems, applications and storage systems. Its RESTful API simplifies integration with other applications and systems that are not yet supported out of the box. Netwrix Auditor architecture and components interactions are shown in the figure below.
Netwrix Auditor Server — the central component that handles the collection, transfer and processing of audit data from the various data sources (audited systems).
Integration API — a RESTful API that enables you to collect data and analyze data from data sources not yet supported out of the box, as well as to send data from Netwrix Auditor to systems such as your SIEM solution.
Data sources — entities that represent the types of audited systems supported by Netwrix Auditor (for example, Active Directory, Exchange Online, NetApp filer, and so on), or the areas you are interested in (for example, Group Policy, User Activity, and so on).
Long-Term Archive — a file-based repository storage keeps the audit data collected from all your data sources or imported using Integration API in a compressed format for a long period of time. The default retention period is 120 months.
Audit database — Microsoft SQL Server database. It is used as an operational storage intended for browsing recent data, running search queries, generating reports and alerts. Default retention period for this data is 180 days. Usually, data collected from the certain data source (for example, Exchange Server) is stored to the archive and to the dedicated Audit database. Therefore, there can be as many databases as the data sources you want to process.
Netwrix Auditor Client — a component that provides a friendly interface to authorized personnel who can use this console UI to manage Netwrix Auditor settings, examine alerts, reports and search results. Other users can obtain audit data by email or with 3rd party tools — for example, reports can be provided to the management team via the intranet portal.
General workflow stages are as follows:
- Authorized administrators prepare IT infrastructure and data sources they are going to audit, as recommended in Netwrix Auditor documentation and industry best practices; they use Netwrix Auditor client (management UI) to set up automated data processing.
- Netwrix Auditor collects audit data from the specified data source (application, server, storage system, and so on).
To provide a coherent picture of changes that occurred in the audited systems, Netwrix Auditor can consolidate data from multiple independent sources (event logs, configuration snapshots, change history records, etc.). This capability is implemented with Netwrix Auditor Server and Integration API.
NOTE: For details on custom data source processing workflow, refer to the Integration API documentation.
- Audit data is stored to the Audit database and the repository (Long-Term Archive) and preserved there according to the corresponding retention settings.
- Netwrix Auditor analyzes the incoming audit data and alerts appropriate staff about critical changes, according to the built-in alerts you choose to use and any custom alerts you have created. Authorized users use the Netwrix Auditor Client to view prebuilt dashboards, run predefined reports, conduct investigations, and create custom reports based on their searches. Other users obtain the data they need via email or third-party tools.
To enable historical data analysis, Netwrix Auditor can extract data from the repository and import it to the Audit database, where it becomes available for search queries and report generation.