SharePoint
NOTE: Prior to configuring your monitoring plan, please read and complete the instructions in the following topics:
-
Protocols and Ports Required – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections
-
Data Collecting Account – Configure data collecting accounts as required to audit your IT systems
-
SharePoint – Configure data source as required to be monitored
Complete the following fields:
| Option | Description |
|---|---|
| Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. |
| Detect additional details | Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made. |
| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the SharePoint configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. |
| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the State–In–Time Reports topic for additional information. In the Manage historical snapshots section, you can click Manage and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor . If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. |
Review your data source settings and click Add to go back to your plan. The newly created data source will appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See the Add Items for Monitoring topic for additional information.
Troubleshoot SharePoint Auditing
| Problem | Description | KB article |
|---|---|---|
| The "Timeout Expired" error appears during the agent's deployment. | The agent failed to be deployed due to one of the following reasons: - One or several servers are unreachable - The SPAdminV4 service is not started on any of the servers. - The servers within the farm are located in different time zones. - Your SharePoint farm exceeds the recommended capacity limits. Increase DeployTimeout value in %ProgramData%\Netwrix\NetwrixAuditor for SharePoint\ Configuration\ <managed_object_name>\ Commonsettings.config and restart the agent service. | Refer to the Timeout Expired Error on SharePoint Core Service Deployment Knowledge Base article for the solution. |
SharePoint Farm
Complete the following fields:
| Option | Description |
|---|---|
| General | |
| Specify SharePoint farm for monitoring | Enter the SharePoint Central Administration website URL. |
| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select Custom account and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the Data Collecting Account topic for additional information. |
| Core Service | |
| Deploy Netwrix Auditor for SharePoint Core Service | Select deployment method for the Core Service. Select one of the following: - Automatically—The installation will run under the account used to collect data on the SharePoint farm wizard completion. Prior to the Netwrix Auditor for SharePoint Core Service installation, review the following prerequisites and make sure that: - Netwrix Auditor for SharePoint Core Service is going to be installed on the computer that hosts SharePoint Central Administration in the audited SharePoint farm. - .Net Framework 3.5 SP1 is installed on the computer that hosts SharePoint Central Administration in the audited SharePoint farm. - The SharePoint Administration (SPAdminV4) service is started on the target computer. See SharePoint for more information. - The user that is going to run the Core Service installation: - Is a member of the local Administrators group on SharePoint server, where the Core Service will be deployed. - Is granted the SharePoint_Shell_Access role on SharePoint SQL Server configuration database. See Permissions for SharePoint Auditing topic for more information. - Manually—See the Netwrix Auditor Installation and Configuration Guide for more information. During the Netwrix Auditor for SharePoint Core Service installation / uninstallation your SharePoint sites may be unavailable. |
| Changes | |
| Audit SharePoint farm configuration changes | Configuration changes are always audited. |
| Audit SharePoint permissions and content changes | Select change types to be audited with Netwrix Auditor. Netwrix Auditor allows auditing the entire SharePoint farm. Alternatively, you can limit the auditing scope to separate web applications and site collections. To do it, select Specific SharePoint objects and do one of the following: - Click Add, provide the URL to web application or site collection and select object type (Web application or Site collection). - Click Import, select object type (Web application or Site collection), encoding type, and browse for a file that contains a list of web applications and sites. Netwrix Auditor ignores changes to system data (e.g., hidden and system lists or items are not audited). Netwrix Auditor also ignores the content changes to sites and objects on the site collections located on Central Administration web application, but the security changes that occurred there are tracked and reported anyway. |
| Activity | |
| Specify monitoring restrictions | Specify restriction filters to narrow your SharePoint monitoring scope (search results, reports and Activity Summaries). For example, you can exclude site collections document libraries and lists from being audited as they contain public non sensitive data. All filters are applied using AND logic. Click Add and complete the following fields: - User – provide the name of the user as shown in the "Who" column of reports and Activity Summaries. Example: mydomain\user1. - Object URL – provide URL of the objects as shown in the "What" column of reports and Activity Summaries. Example: http://sitecollection/list/document.docx. - Action Type – select what types of actions performed by selected users under the object you want to monitor. Available values: All, Changes, Reads. You can use a wildcard (*) to replace any number of characters in filters. In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files. See the Monitoring Planstopic for additional information. |
| Read Access | |
| Audit SharePoint read access | Configure Netwrix Auditor to track read access to lists and list items within your SharePoint farm except for Central Administration web sites. Select Sites only if you want to enable read access auditing on SharePoint sites only. Enable Sites and subsites to track read access on each subsite. Then, do one of the following: - Click Add and provide URL to a SharePoint site. - Click Import, select encoding type, and browse for a file that contains a list of sites. Read access auditing significantly increases the number of events generated on your SharePoint and the amount of data written to the AuditArchive. |