Netwrix Auditor

for VMware
Quick-Start Guide
Version: 9.5
10/25/2017
Legal Notice

The information in this publication is furnished for information use only, and does not constitute a
commitment from Netwrix Corporation of any features or functions, as this publication may describe
features or functionality not applicable to the product release or version you are using. Netwrix makes no
representations or warranties about the Software beyond what is provided in the License Agreement.
Netwrix Corporation assumes no responsibility or liability for the accuracy of the information presented,
which is subject to change without notice. If you believe there is an error in this publication, please report
it to us in writing.

Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrix product
or service names and slogans are registered trademarks or trademarks of Netwrix Corporation. Microsoft,
Active Directory, Exchange, Exchange Online, Office 365, SharePoint, SQL Server, Windows, and Windows
Server are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries. All other trademarks and registered trademarks are property of their respective
owners.

Disclaimers

This document may contain information regarding the use and installation of non-Netwrix products.
Please note that this information is provided as a courtesy to assist you. While Netwrix tries to ensure
that this information accurately reflects the information provided by the supplier, please refer to the
materials provided with any non-Netwrix product and contact the supplier for confirmation. Netwrix
Corporation assumes no responsibility or liability for incorrect or incomplete information provided about
non-Netwrix products.

© 2017 Netwrix Corporation.

All rights reserved.

2/23
Table of Contents
1. Introduction 4

1.1. Netwrix Auditor Overview 4

2. Netwrix Auditor System Requirements 5

2.1. Supported Data Sources 5

2.2. Requirements to Install Netwrix Auditor 5

2.2.1. Hardware Requirements 5

2.2.2. Software Requirements 6

3. Review Components Checklist 7

3.1. Configure Data Collecting Account 7

4. Install the Product 9

5. Monitoring Plans 11

5.1. Create a New Plan 11

5.1.1. New Monitoring Plan (Data Source) 11

5.1.2. New Monitoring Plan 11

5.1.3. Default SQL Server Instance 12

5.1.4. Audit Database 13

5.1.5. Notifications 13

5.1.6. Recipients 14

5.1.7. Monitoring Plan Summary 14

5.2. Add Items for Monitoring 14

5.2.1. VMware ESX/ESXi/vCenter 14

6. Make Test Changes 15

7. See How Netwrix Auditor Enables Complete Visibility 16

7.1. Review an Activity Summary 17

7.2. Review VMware Overview 18

7.3. Review the All VMware Changes Report 19

7.4. Browse Data with Intelligence Search 19

8. Related Documentation 23

3/23
 Netwrix Auditor for VMware Quick-Start Guide

1. Introduction

1. Introduction
This guide is intended for the first-time users of Netwrix Auditor for VMware. It can be used for evaluation
purposes, therefore, it is recommended to read it sequentially, and follow the instructions in the order they
are provided. After reading this guide you will be able to:

l Install and configure Netwrix Auditor

l Create a monitoring plan to start auditing a virtual infrastructure

l Launch data collection

l See how Netwrix Auditor enables complete visibility

NOTE: This guide only covers the basic configuration and usage options for auditing VMware with Netwrix
Auditor. For advanced installation scenarios and configuration options, as well as for information
on various reporting possibilities and other product features, refer to:

l Netwrix Auditor Installation and Configuration Guide

l Netwrix Auditor Administration Guide

l Netwrix Auditor Intelligence Guide

1.1. Netwrix Auditor Overview

Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables control
over changes, configurations and access in hybrid IT environments to protect data regardless of its
location. The platform provides security analytics to detect anomalies in user behavior and investigate
threat patterns before a data breach occurs.

Netwrix Auditor includes applications for Active Directory, Azure AD, Exchange, Office 365, Windows file
servers, EMC storage devices, NetApp filer appliances, SharePoint, Oracle Database, SQL Server, VMware,
and Windows Server. Empowered with a RESTful API and user activity video recording, the platform delivers
visibility and control across all of your on-premises or cloud-based IT systems in a unified way.

Major benefits:

l Detect insider threats—on premises and in the cloud

l Pass compliance audits with less effort and expense

l Increase productivity of IT security and operations teams

Netwrix Auditor for VMware detects and reports on all changes made to ESX servers, folders, clusters,
resource pools, virtual machines and their virtual hardware configuration.

4/23
 Netwrix Auditor for VMware Quick-Start Guide

2. Netwrix Auditor System Requirements

2. Netwrix Auditor System

Requirements
This section lists the requirements for the systems that are going to be audited with Netwrix Auditor, and
for the computer where the product is going to be installed.

2.1. Supported Data Sources

The table below lists systems that can be monitored with Netwrix Auditor for VMware:

Data source Supported Versions

VMware l VMware vSphere (ESX) 4.0 – 6.5

l VMware vSphere Hypervisor (ESXi) 4.0 – 6.5

l VMware vCenter Server 4.0 – 6.5

2.2. Requirements to Install Netwrix Auditor

This section provides the requirements for the computer where Netwrix Auditor is going to be installed.
Refer to the following sections for detailed information:

l Hardware Requirements

l Software Requirements

2.2.1. Hardware Requirements

Review the hardware requirements for Netwrix Auditor installation.

The metrics provided in this section are valid for clean installation on a server without any additional roles
or third part applications installed on it. The use of virtual machine is recommended.

The hardware configuration depends on the size of your monitored environment and the number of
activity records processed by the product per day. Below you can find rough estimations, calculated for
evaluation of Netwrix Auditor for VMware. Refer to Netwrix Auditor Installation and Configuration Guide
for complete information on the Netwrix Auditor hardware requirements.

Hardware component Starter, evaluation, or small environment

Processor 2 cores

5/23
 Netwrix Auditor for VMware Quick-Start Guide

2. Netwrix Auditor System Requirements

Hardware component Starter, evaluation, or small environment

RAM 4 GB

Disk space 100 GB—System drive

100 GB—Data drive (Long-Term Archive and SQL Server)

Screen resolution Minimum 1280 x 1024

Recommended 1920 x 1080 or higher

2.2.2. Software Requirements

The table below lists the software requirements for the Netwrix Auditor installation:

Component Requirements

Operating system l Windows Desktop OS (64-bit): Windows 7 SP1, Windows

8.1, and Windows 10

l Windows Server OS: Windows Server 2008 R2 SP1,

Windows Server 2012/2012 R2, and Windows Server 2016

.NET Framework l Any .NET Frameworks that goes with your OS: 3.5 SP1 ,
4.0, 4.5, or 4.6

Installer l Windows Installer 3.1 and above

6/23
 Netwrix Auditor for VMware Quick-Start Guide

3. Review Components Checklist

3. Review Components Checklist

To speed up the evaluation process, Netwrix recommends you to ensure that the following services and
components are up and running prior to the Netwrix Auditor installation.

Service or component Recommendations

Network and target systems Test connectivity to your data source. Make sure you can access it by its
or servers that work as your NetBIOS and FQDN name from the computer where you intend to
data sources install Netwrix Auditor—use the nslookup command-line tool to look
up domain names.

SQL Server 2014 with SSRS Although Netwrix Auditor provides a convenient interface for
(optional step) downloading SQL Server 2014 Express right from Netwrix Auditor, it is
recommended to deploy SQL Server instance in advance. Test your SQL
Server connectivity.

NOTE: Netwrix Auditor provides an option to verify SSRS settings right

in the Netwrix Auditor.

Test account Netwrix recommends you to create a special account with extensive
privileges. This account should have sufficient permissions to:

l Collect audit data. See Configure Data Collecting Account for more
information.

l Access data stored in the SQL Server instance:

l The account must be assigned the Database owner (db_

owner) role and the dbcreator server role.

l The account must be assigned the Content Manager role on

the SSRS Home folder.

l Make test changes in your environment.

3.1. Configure Data Collecting Account

This service account is specified on the monitoring plan creation and is used to collect audit data from the
data source items. To ensure successful data collection, Netwrix recommends creating a special service
account in advance. The account must comply with the following requirements depending on the data
source.

NOTE: The information in this section is outside the quick-start guide scope and is provided for reference
only. See Netwrix Auditor Installation and Configuration Guide for detailed instructions on how to
configure your Data Processing Account.

7/23
 Netwrix Auditor for VMware Quick-Start Guide

3. Review Components Checklist

Data source Rights and permissions

VMware On the target server:

l At least Read-only role on the audited hosts

8/23
 Netwrix Auditor for VMware Quick-Start Guide

4. Install the Product

4. Install the Product

To install Netwrix Auditor

1. Download Netwrix Auditor 9.5 on Netwrix website.

2. Unpack the installation package. The following window will be displayed on successful operation
completion:

3. Follow the instructions of the setup wizard. When prompted, accept the license agreement.

4. On the Select Installation Type step, select Full installation.

5. On the Destination Folder step, specify the installation folder.

6. On the Netwrix Customer Experience Program step, you are invited to take part in the Netwrix
Customer Experience Program. It is optional on your part to help Netwrix improve the quality,
reliability, and performance of Netwrix products and services. If you accept, Netwrix collects statistical
information on how the Licensee uses the product in accordance with applicable law. Select Skip if
you do not want to participate in the program.

NOTE: You can always opt- out of the Netwrix Customer Experience Program later. See Netwrix
Auditor Administration Guide for instructions on how to cancel participation in the program.

7. Click Install.

9/23
 Netwrix Auditor for VMware Quick-Start Guide

4. Install the Product

After a successful installation, Netwrix Auditor shortcut will be added to the Start menu/screen and the
product will start.

10/23
 Netwrix Auditor for VMware Quick-Start Guide

5. Monitoring Plans

5. Monitoring Plans
To start auditing your environment and analyzing user behavior with Netwrix Auditor, create a monitoring
plan. All your monitoring plans are listed in the Monitoring Plans section.

A monitoring plan defines your data sources and general data collection, notification, and storage settings.
To start collecting data, choose a data source, such as VMware, and add items to its scope. Item is a specific
object you want to audit. All data sources and items in your plan share common settings so that you can
supervise and manage several data collections as one.

On a high level, you should perform the following steps to start monitoring your environment:

1. Specify a data source and create a monitoring plan with a wizard. See Create a New Plan for more
information.

2. Add items for monitoring. Netwrix Auditor does not collect data until you specify an item. See Add
Items for Monitoring for more information.

5.1. Create a New Plan

On the main Netwrix Auditor page, click the All data sources tile in the Quick Start section.

The wizard that appears will help you set up a new plan in a few easy steps:

l Choose a data source for monitoring

l Specify an account for collecting data

l Specify default SQL Server instance and configure the Audit Database to store your data

l Configure notification settings

l Specify the recipients who will receive daily activity summaries

l Specify a plan name

5.1.1. New Monitoring Plan (Data Source)

Specify the VMware tile.

5.1.2. New Monitoring Plan

Option Description

Specify the account for Provide a user name and a password for the account that Netwrix Auditor
collecting data will use to collect data. By default, the user name is prepopulated with your

11/23
 Netwrix Auditor for VMware Quick-Start Guide

5. Monitoring Plans

Option Description

account name.

Make sure the account has sufficient permissions to collect data. For a full list
of the rights and permissions, and instructions on how to configure them,
refer to Netwrix Auditor Installation and Configuration Guide . Netwrix
recommends creating a special service account with extended permissions.

5.1.3. Default SQL Server Instance

To provide search, alerting, and report capabilities, Netwrix Auditor has to store security intelligence data in
the Audit Database hosted on a SQL Server instance. Make sure the Disable security intelligence and
make data available only in activity summaries checkbox is cleared.

Specify one of the following options:

l Install a new instance of Microsoft SQL Server Express automatically — Select if you want
Netwrix Auditor to download and configure SQL Server 2014 Express with Advanced Services.

l Use an existing SQL Server instance —Select to continue using an installed SQL Server instance.
Netwrix Auditor detects local SQL Server instance automatically and prepopulates the fields.
Complete the following fields:

Option Description

SQL Server instance Specify the name of the SQL Server instance to store audit data.

Authentication Select the authentication type you want to use to connect to the
SQL Server instance:

l Windows authentication

l SQL Server authentication

User name Specify the account to be used to connect to the SQL Server
instance.

NOTE: This account must be granted the database owner (db_

owner) role and the dbcreator server role. See Netwrix
Auditor Installation and Configuration Guide for more
information.

Password Enter a password.

12/23
 Netwrix Auditor for VMware Quick-Start Guide

5. Monitoring Plans

5.1.4. Audit Database

Specify a database name to store security intelligence data for your monitoring plan or disable this
functionality. Make sure the Disable security intelligence and make data available only in activity
summaries checkbox is cleared and Use default SQL Server settings is checked.

Netwrix Auditor will create a database on the SQL Server instance you specify.

5.1.5. Notifications
Specify the email settings that will be used for activity summaries, reports and alerts delivery. Netwrix
Auditor automatically detects SMTP settings or you can provide them manually. Complete the following
fields:

Option Description

SMTP server Enter your SMTP server address. It can be your company's Exchange
server or any public mail server (e.g., Gmail, Yahoo).

Port number Specify your SMTP server port number.

Sender address Enter the address that will appear in the From field.

NOTE: It is recommended to click Send Test Email. The system will send
a test message to the specified email address and inform you if
any problems are detected.

SMTP authentication Select this checkbox if your mail server requires the SMTP
authentication.

User name Enter a user name for the SMTP authentication.

Password Enter a password for the SMTP authentication.

Use Secure Sockets Layer Select this checkbox if your SMTP server requires SSL to be enabled.
encrypted connection (SSL)

Use implicit SSL Select this checkbox if the implicit SSL mode is used, which means that
authentication an SSL connection is established before any meaningful data is sent.

Enforce certificate validation Select this checkbox if you want to verify security certificate on every
to ensure security email transmission.

13/23
 Netwrix Auditor for VMware Quick-Start Guide

5. Monitoring Plans

5.1.6. Recipients
Specify the users who will receive daily activity summaries that list changes that occurred for a given time
period. Click Add Recipient and enter your email.

NOTE: It is recommended to click Send Test Email . The system will send a test message to the specified
email address and inform you if any problems are detected.

5.1.7. Monitoring Plan Summary

Your plan is almost complete. Provide a name and description for your monitoring plan. Make sure the Add
item now checkbox is selected. In this case, on the next step, you will be prompted to add an item for
monitoring.

5.2. Add Items for Monitoring

Once you completed monitoring plan wizard and specified data sources, add items for monitoring.

Each data source has a dedicated item type. Netwrix Auditor automatically suggests item types associated
with your data source.

5.2.1. VMware ESX/ESXi/vCenter

Complete the following fields:

Option Description

Specify VMware ESX, ESXi, or Specify the ESX or ESXi host URL, or vCenter Server URL.
vCenter for monitoring

Specify the account for Select the account that will be used to collect data for this item.
collecting data

14/23
 Netwrix Auditor for VMware Quick-Start Guide

6. Make Test Changes

6. Make Test Changes

Now that the product has collected a snapshot of the data source's current configuration state, you can
make test changes to see how they will be reported by Netwrix Auditor.

For example, make the following test changes:

l Create a virtual machine

l Modify the virtual machine's name

NOTE: Before making any test changes to your environment, ensure that you have the sufficient rights,
and that the changes conform to your security policy.

15/23
 Netwrix Auditor for VMware Quick-Start Guide

7. See How Netwrix Auditor Enables Complete Visibility

7. See How Netwrix Auditor Enables

Complete Visibility
After you have made test changes to your environment, you can see how Netwrix Auditor brings security
intelligence into your IT infrastructure and enables complete visibility. Take a closer look at the Intelligence
section. It contains everything you need to enable complete visibility in your environment.

This chapter explains how to review your test changes with some of the Intelligence options and Activity
Summary. Review the following for additional information:

l Review an Activity Summary

l Review VMware Overview

l Review the All VMware Changes Report

l Browse Data with Intelligence Search

In order not to wait for a scheduled Activity Summary generation, force data collection and email delivery.

To launch data collection manually

1. Navigate to Monitoring Plans and select your plan in the list.

2. Click Edit.

3. In the your monitoring plan settings, click Update in the right pane.

4. Check your mailbox for an email notification and make sure that the data collection has completed
successfully.

16/23
 Netwrix Auditor for VMware Quick-Start Guide

7. See How Netwrix Auditor Enables Complete Visibility

7.1. Review an Activity Summary

An Activity Summary is email that lists all changes that occurred since the last Activity Summary delivery. By
default, an Activity Summary is generated daily at 3:00 AM and delivered to the specified recipients. You can
also launch data collection and an Activity Summary generation manually.

After the data collection has completed, check your mailbox for an Activity Summary and see how your test
changes are reported:

The example Activity Summary provides the following information:

Column Description

Action Shows the type of action that was performed on the object.

Object Type Shows the type of the object.

What Shows the name of the changed object or its path.

Item Shows the item associated with the selected monitoring plan.

Where Shows VMware Center URL (click on the link to navigate to this object).

Who Shows the name of the account under which the change was made.

When Shows the exact time when the change occurred.

Details Shows the before and after values of the modified object, object attributes, etc.

17/23
 Netwrix Auditor for VMware Quick-Start Guide

7. See How Netwrix Auditor Enables Complete Visibility

7.2. Review VMware Overview

Enterprise diagram provides a high-level overview of activity trends by date, user, server, object type or
data source in your IT infrastructure. The Enterprise diagram aggregates data on all monitoring plans and
all data sources, while system-specific diagrams provide quick access to important statistics within one data
source.

After collecting initial data, making test changes to your environment and running data collection again,
you can get at-a-glance statistics for changes with the VMware Overview.

To see how your changes are reported with VMware Overview

1. On the main Netwrix Auditor page, navigate to the Intelligence section and click the Reports tile.

2. Expand the Predefined → VMware reports.

3. Select the VMware Overview report and click View.

4. Review your changes.

5. Click on any chart to jump to a table report with the corresponding grouping and filtering of data.

18/23
 Netwrix Auditor for VMware Quick-Start Guide

7. See How Netwrix Auditor Enables Complete Visibility

7.3. Review the All VMware Changes Report

The Netwrix Auditor client provides a variety of predefined reports that aggregate data from the entire
audited IT infrastructure or individual data sources.

Change and activity reports can be found under the Reports → Predefined → VMware and provide a
narrower insight into what is going on in the audited infrastructure and help you stay compliant with
various standards and regulations (FISMA, HIPAA, PCI, SOX, etc.).

After collecting initial data, making test changes to your environment and running data collection again,
you can take advantage of the reports functionality.

To see how your changes are listed in the report

1. On the main Netwrix Auditor page, navigate to Reports → Predefined → VMware.

2. Select the All VMware Changes report.

3. Click View to open the report.

7.4. Browse Data with Intelligence Search

Netwrix Auditor delivers complete visibility into your IT infrastructure. Its convenient interactive search
interface enables you to investigate incidents and browse data collected across the entire IT infrastructure.
When running a search, you are not limited to a certain data source, change type, or object name. You can
create flexible searches that provide you with precise results on who changed what, and when and where
each change was made.

After collecting initial data, making test changes to your environment and running data collection again,
you can review changes in details with Intelligence search.

19/23
 Netwrix Auditor for VMware Quick-Start Guide

7. See How Netwrix Auditor Enables Complete Visibility

To browse your audit data and see you test changes

1. On the main Netwrix Auditor page, navigate to Intelligence → Search.

2. Add search filters to your search by clicking on a corresponding icon and providing a value. By default,
all entries that contain this filter value are shown. For an exact match, use quotation marks.

Filters are used to narrow your search results. To create a unique set of filters, you can:

l Add different filters to your search. Search results will be sorted by all selected filters since they
work as a logical conjunction (e.g., Who: Administrator AND Action: Added).

l Specify several values in the same filter to search for any of them (e.g., Action: Modified OR
Action: Removed). To do this, select a filter again and specify a new value.

For example, consider adding these filters:

Filter Value

Specify your VMware host name.

Specify a timeframe.

NOTE: Refer to Netwrix Auditor Intelligence Guide for detailed instructions on how to apply filters
and change match types.

As a result, you will see the following filters in the Search field:

3. Click Search.

4. Now, you can narrow your search and modify it right from the search results pane. Double-click any

20/23
 Netwrix Auditor for VMware Quick-Start Guide

7. See How Netwrix Auditor Enables Complete Visibility

entry that contains excess data, select Exclude from search and specify a filter, e.g., Action: Modified
to leave information on newly created virtual machines only.

Your Search field will be updated, the Action not filter will be added. Make sure to click Search again
to update your search results.

5. Having reviewed your search results, navigate to Tools.

l Click Save as report to save the selected set of filters. This search will be added to the Custom
section inside Reports, so that you will be able to access it instantly. Refer to Netwrix Auditor
Intelligence Guide for detailed instructions on how to create saved searches.

l Click Create alert to get instant email or SMS notifications on suspicious activity that matches
your current search criteria. You only need to specify a name for a new alert, add recipient and
assign a risk score. The selected set of search criteria will be associated with the new alert
automatically. Refer to Netwrix Auditor Administration Guide for detailed instructions on how

21/23
 Netwrix Auditor for VMware Quick-Start Guide

7. See How Netwrix Auditor Enables Complete Visibility

to create and configure alerts.

Try making more similar test changes to provoke an alert. For example:

Once you have received the alert, click the Behavior Anomalies tile on the main Netwrix
Auditor page to see how the product identifies potentially harmful users and displays their risk
scores. Drill- down to user profile to review anomalies and mitigate risks. Refer to Netwrix
Auditor Intelligence Guide for more information on behavior anomalies and risk scores.

22/23
 Netwrix Auditor for VMware Quick-Start Guide

8. Related Documentation

8. Related Documentation
The table below lists all documents available to support Netwrix Auditor for VMware:

Document Description

Netwrix Auditor Online Help Gathers information about Netwrix Auditor from multiple sources and
Center stores it in one place, so you can easily search and access any data you
need for your business. Read on for details about the product
configuration and administration, its security intelligence features, such
as interactive search and alerts, and Integration API capabilities.

Netwrix Auditor Installation Provides detailed instructions on how to install Netwrix Auditor, and
and Configuration Guide explains how to configure your environment for auditing.

Netwrix Auditor Provides step-by-step instructions on how to configure and use the
Administration Guide product.

Netwrix Auditor Intelligence Provides detailed instructions on how to enable complete visibility with
Guide Netwrix Auditor interactive search, report, and alert functionality.

Netwrix Auditor Integration Provides step-by-step instructions on how to leverage Netwrix Auditor
API Guide audit data with on-premises and cloud auditing solutions using RESTful
API.

Netwrix Auditor Release Lists the known issues that customers may experience with Netwrix
Notes Auditor 9.5, and suggests workarounds for these issues.

23/23