How does Netwrix Auditor for VMware work

6.5 and older
Copy Article URL Copied

The product runs on a schedule (once per day by default). To generate change and inventory reports the product collects the following data:
– Auditing events (which are generated on monitored ESX server/vCenter)
– Virtual environment objects and properties (which are then used to build snapshots of monitored virtual environment)

To collect the auditing events, the product uses VMware API method called EventHistoryCollector (  – which retrieves auditing events from the specified ESX server vCenter.  In other words the product just asks the monitored ESX Server vCenter for auditing events it has without direct access to the audit log files databases on the monitored ESX Server vCenter (all these operations are being handled by VMware API).

Before gathering new auditing events, VMware data collector looks into its repository and identifies the last collected audit event – which the previous data collection has stopped on and the current data collection should start from.
For example:
– the previous data collection stopped on an event which was generated on 12/27/2013 at 6:26 AM
– the first event Netwrix Auditor for VMware expects to get in the current data collection will be same – generated on 12/27/2013 at 6:26 AM (because events in the event chain should be inseparably linked with each other)

In other cases (when the first received event was generated later than 12/27/2013 at 6:26 AM) the product will consider this as an event overwrite – because this means that some event chain pieces are missing.
Audit events are stored in different places for different VMware products, for a standalone ESX server events are retained in memory and how back they go depends on the available memory.  vCenter pulls events from its managed ESX servers and stores them in the vCenter Event Database. (For more details please refer to this KB article:


Originally KB1844

Go Up