Activity Monitor 7.0 Agent and Console Paths
Overview
Netwrix Activity Monitor (NAM) 7.0 has changed its installation and configuration paths from 6.0. This article explains all the different locations and files that the NAM agent and console use.
If collecting SharePoint Online activity for Access Analyzer and upgrading from NAM 7.0 or earlier, review and update the SPAC (SharePoint Activity Auditing) System Scan job query configuration to reflect these new values: SPAA: Activity Log Locations.
Installation Binaries (Default Location)
This section covers installation binary locations only and does not include config files or logs.
Console
NAM Console
%PROGRAMFILES%\Netwrix\Activity Monitor\Console
NAM Agent install packages
Used for deployments, including Windows Agent, Linux Agent, and SI Agent
%PROGRAMFILES%\Netwrix\Activity Monitor\Console\Agents
Windows Agent
NAM Agent
%PROGRAMFILES%\Netwrix\Activity Monitor\Agent
SBTService
Only used for SBTService / Windows monitoring
%PROGRAMFILES%\Stealthbits\StealthAUDIT\FSAC
Windows Activity driver sys file
%WINDIR%\System32\drivers\SBTFSF.sys
SI Agent
Only used for AD activity
%PROGRAMFILES%\Stealthbits\StealthINTERCEPT\SIWindowsAgent
Linux Agent
NAM Agent
/usr/bin/activity-monitor-agentd
Program Data
This section covers program data locations, including config files, logs, and additional data.
Console
Console's list of agents and encrypted credentials
Access restricted to SYSTEM and BUILTIN\Administrators only
%PROGRAMDATA%\Netwrix\Activity Monitor\Console\Agents.ini
NAM Console's license file
%PROGRAMDATA%\Netwrix\Activity Monitor\Console\FileMonitor.lic
NAM Console's Debug Logs
%PROGRAMDATA%\Netwrix\Activity Monitor\Console\DebugLogs
Windows Agent
NAM Agent's config file
%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\SBTFileMon.ini
NAM Agent's SI config File
Only used for AD activity
%PROGRAMFILES%\Stealthbits\StealthINTERCEPT\SIWindowsAgent\SAMConfig.xml
Main SI Agent's Config File
Only used for AD activity
%PROGRAMFILES%\Stealthbits\StealthINTERCEPT\SIWindowsAgent\SIWindowsAgent.exe.Config
NAM Agent's debug logs
%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\DebugLogs
NAM Windows Driver ETW Logs
%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\DebugLogs
Saved Crash Dumps of NAM Services
%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\Dumps
NAM Audit Logs
History of all config changes — also included in the Windows Event Log (Application)
%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\Audit
NAM Journal Logs
History of hosts and output statuses
%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\Journal
NAM Activity Logs
Default location — can be customized
%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\ActivityLogs
Linux Agent
NAM Agent's config file
/usr/bin/activity-monitor-agentd/config/SBTFileMon.ini
NAM Agent's debug logs
/usr/bin/activity-monitor-agentd/DebugLogs
NAM Audit Logs
History of all config changes — also included in the Windows Event Log (Application)
/usr/bin/activity-monitor-agentd/Audit
NAM Journal Logs
History of hosts and output statuses
/usr/bin/activity-monitor-agentd/Journal
NAM Activity Logs
Default location — can be customized
/usr/bin/activity-monitor-agentd/ActivityLogs
Windows Registry Key Location
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters
Values
-
ConfigPath– String (REG_SZ)- Full path of config
SBTFileMon.inifile that the agent is currently using
- Full path of config
-
TraceLevel– DWORD 32-bit (REG_DWORD)- The integer value of the trace level that the product is currently using (for console and agents)
- 0 – Trace
- 1 – Debug
- 2 – Information
- 3 – Warning
- 4 – Fatal
- The integer value of the trace level that the product is currently using (for console and agents)