Product: Netwrix Auditor
Product Homepage: click here
Free Trial: click here
Lately the subject of administrative audit logging has been getting a lot of attention. Many organizations track administrative activity in response to regulatory requirements or as a way of determining whether or not their systems have been compromised.
One of the problems that has long made administrative auditing difficult however, is that there is no central audit log. Windows Server itself maintains several different event logs. Furthermore, applications such as SharePoint and Exchange Server maintain their own audit logs as well, as do enterprise hypervisors.
Netwrix claims to be able to solve this problem with a product called Netwrix Auditor. Netwrix Auditor provides centralized reporting on changes through the entire IT infrastructure, also filling gaps and eliminating noise in native audit logs for operating systems, applications, and hypervisors. Needless to say, I had to take a look.
Normally when I review a product, I like to write about the ease or difficulty of the installation and initial configuration. In this case however, Netwrix provided me with remote access to a pre-configured test system. As such, I cannot give a firsthand account of the deployment process.
Netwrix Auditor got my attention the moment that I logged into the remote environment that had been configured for me. Normally when I write a product review I make it a point to not read the product documentation ahead of time. The reason why I do that is because I like to be able to objectively judge how intuitive the software is, and I feel that if I can use the software without reading the manual then it’s a pretty good indication that others will be able to do the same.
I tell you this as a way of pointing out that I didn’t initially know a lot about Netwrix Auditor. I hadn’t even initially read about the product’s features. Instead, I put myself in the position of an administrator who was logging in to perform an administrative action. As soon as I logged in, however, there was a screen that immediately got my attention.
As you can see in Figure A, I was immediately met with a message stating that my activity was being monitored. Although it is pretty common for organizations to display a message similar to this one immediately after login, it wasn’t the message that got my attention. It was the title of the dialog box containing the message – Netwrix User Activity Video Reporter. As it turns out, Netwrix Auditor not only logs administrative activity, it actually captures video of the activity as it occurs!
Figure A: Netwrix Auditor records screen video of administrative activity.
Rather than jumping directly into the videos, I decided to first take a look at the Enterprise Overview portion of the Netwrix Auditor console. The Enterprise Overview provides a collection of dashboards and reports that you can use to track the administrative actions that have been made within your organization.
If you look at Figure B, you can see that selecting the Enterprise Overview container causes a dashboard to be displayed. This dashboard shows the number of changes that have occurred on each date, the servers that have received the most changes, the users who made the most changes, and the object types that were the most frequently audited. You can view this information for all audited system types (Windows, Exchange Server, etc.) or you can use a simple drop down list to see specific activity (such as information pertaining only to Exchange Server).
Figure B: The Enterprise Overview displays administrative activity in a graphical format.
Next, I decided to drill down into some of the reports that are accessible beneath the console’s Enterprise Overview container. I write a lot of software reviews and one of my big pet peeves is bloated reporting engines. I have reviewed far too many products that provide a huge number of reports, even though only a hand full of those reports are actually useful. However, this wasn’t the case with Netwrix Auditor. The reports that were available were well organized and were very useful.
The reports are arranged by monitored product (Exchange Server, SharePoint, etc.). For each monitored product, there are four reports. For most of the monitored products these reports are:
- All Changes by Date
- All Changes by Object Type
- All Changes by Server
- All Changes by User
In some cases the reports vary a little bit based on the product that is being monitored. For example, the SharePoint report examines changes by site collection instead of by server.
When you run a report, there are a number of different filters that you can apply. For example, you can filter based on the date range, what changed, who made the change, the object type, etc. You can see what the Report Filters screen looks like in Figure C. This figure also shows which reports are available for the various products.
Figure C: You can filter the reports based on a number of criteria.
The reports themselves are well laid out and are easy to read. They show you exactly what changed, who made the change, and when. I especially liked that the action type was color coded. You can see what a report looks like in Figure D.
Figure D: This is what a report looks like.
In case you are wondering, the reports can be printed or they can be exported to PDF, Microsoft Word, or to an Excel spreadsheet.
Incidentally, these aren’t the only reports that are available. The Managed Objects section allows you to access a wide variety of reports for specific object types (such as file servers). These reports include things like successful or failed read attempts or modification attempts.
One of the really beneficial things about Netwrix Auditor is that it monitors the entire virtual environment configuration I have seen monitoring products that focus solely on applications and virtual machines, while ignoring the underlying virtual platform, so it was nice to see that Netwrix took the time to provide virtual environment level auditing.
As of now, Netwrix Auditor provides change auditing of VMware virtual environment. The demo environment that I was provided with was based around VMware, so I was able to take a look at the auditing capabilities that exist.
The console’s VMware container provides access to the VMware auditing functionality. This feature tracks changes that are made to the VMware inventory and then sends daily reports (or summaries) to a set of designated recipients. You can see what this screen looks like in Figure E.
Figure E: The VMware Change auditing feature tracks changes to the VMware Inventory.
If you look at the figure above, you will notice that there is a container called Reports that is located just beneath the VMware container. The Reports container offers a truly impressive array of reports. You can either view all of the recent VMware changes filtered by date, object type, or user, or you can access a granular set of best practices reports. Best practices reports are grouped into containers for things like clusters, data stores, and virtual machines, with each container providing access to multiple reports. For instance the Cluster related best practices reports include reporting information for things like cluster changes, clusters added, and clusters removed. Reports can be filtered by date range, user, or action. You can see some of the available report containers in Figure F.
Figure F: Netwrix provides a truly impressive collection of virtualization related reports.
In addition, a Sessions container provides data related to session date / time, managed objects, and status.
When I write reviews for this site, it has become customary to assign the product a rating from 1 to 5 (with 5 being the best). As such, I am giving Netwrix Auditor a score of 4.7, which is a VirtualizationAdmin.com Gold Award.
Overall I really liked Netwrix Auditor. The software was easy to use and I didn’t find any obvious bugs. Even so, the product’s documentation could stand to be improved.
At the beginning of this review I mentioned that I do not like to initially read the documentation so that I could get a feel for how intuitive the product is to use. After spending a considerable amount of time with the product, I never could locate the video playback feature, so I checked into the documentation. The documentation showed how to access videos, but the screen captures showed options that did not exist in my demo environment.
I spent some time on the Netwrix Web site looking for answers and learned that Netwrix Auditor is modular and that the various modules are licensed separately (such as an auditor for SharePoint). However, I couldn’t find anything related to the video playback feature. The experience left me scratching my head.
Aside from this one complaint however, I really liked the software, I found it to be very intuitive and I think that it provides exactly the right amount of auditing detail. Sufficient information is given about administrative actions without the collected information being overwhelming. All in all, I would have to say that this is a solid product.
WindowsNetworking.com Rating 4.7/5