File Servers

Complete the following fields:

Option	Description
Monitor this data source and collect activity data	Enable monitoring of the selected data source and configure Netwrix Auditor to collect and store audit data.
Specify actions for monitoring	Specify actions you want to track and auditing mode. Review the following for additional information: Changes Successful Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion. Failed Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it. Read access Successful Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users. NOTE: Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the AuditArchive. Failed Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification. NOTE: Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the AuditArchive. NOTE: Actions reported by Netwrix Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing. See Monitored Object Types, Actions, and Attributes for more information.
Specify data collection method	You can enable network traffic compression. If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. NOTE: To collect data from 32-bit operating systems, network traffic compression must be disabled. To collect data from Windows Failover Cluster, network traffic compression must be enabled. See File Servers for more information.
Configure audit settings	You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. NOTE: This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. For a full list of audit settings required to collect comprehensive audit data and instructions on how to configure them, refer to Configure IT Infrastructure for Auditing and Monitoring. Some settings cannot be configured automatically. Netwrix Auditor has the following limitations depending on your file server type. File Server SACL Check SACL Adjust Policy Check Policy Adjust Log Check Log Adjust Windows + + + + + + EMC Celerra\VNX + + + — + — EMC Isilon n/a n/a + — n/a n/a NetApp Data ONTAP 7 and 8 in 7-mode + + + + + + NetApp Clustered Data ONTAP 8 and ONTAP 9 + + + + + —

Review your data source settings and click Add to go back to your plan. The newly created data source will appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add Items for Monitoring for more information.

NOTE: Netwrix Auditor supports auditing of DFS and clustered file servers provided that Object Access Auditing is enabled on DFS file shares or every node belonging to the cluster correspondingly.

• When adding a cluster file server for auditing, it is recommended to specify a server name of the Role server or a UNC path of the shared folder located on the Role server.
• When adding a DFS file share for auditing, specify a Windows file share item and provide the UNC path of the whole namespace or UNC path of the DFS link (folder). For example:
  • "\\domain\dfsnamespace\" (domain-based namespace) or "\\server\dfsnamespace\" (in case of stand-alone namespace);
  • "\\domain\dfsnamespace\link" (domain-based namespace) or "\\server\dfsnamespace\link" (in case of stand-alone namespace).
• For recommendations on configuring DFS replication, refer to this Knowledge Base article.