Can Netwrix Auditor applications for file storages (Windows File Servers, NetApp and EMC) handle large amount of data, e.g. terabytes or petabytes of data?
Provided that the audited file system environment is properly configured, large amount of data is not a problem.
When evaluating the product or planning for its deployment, you should start off with defining the audit scope and the goals you are trying to achieve – it is very unlikely that all these petabytes of data need the same level of auditing. In particular, locate the following:
- File shares containing most sensitive data that require most scrutinized control (such as control over read attempts, both successful and failed, state-in-time data and alerts on critical actions).
- File shares containing regular data that don’t require as much attention as sensitive data. Enabling auditing of reads on such file shares (especially successful reads) would produce a massive flow of useless audit data that will be most likely never reviewed by anyone.
- File shares containing files that are being constantly changed or accessed, such as QuickBooks or database files, or shares containing user profiles. Organizations may want to either avoid auditing of changes and reads of such files as it would also produce a massive flow of useless audit data (that will be most likely never reviewed by anyone), or at least track permission changes on such shares only.
Once the data is located and graded from most sensitive to least sensitive, you can configure audit scopes differently for each type of data.
By assorting your data this way, you achieve two goals:
- Reduced load on the file server. Otherwise, if you enabled read auditing on a petabyte of data, the server would likely go down even before some audit data is collected by Netwrix Auditor.
- Collection of the most useful and valuable audit data. Otherwise, if you audited all this massive amount of data, the real incidents would be most likely buried in dozens of logs.
To deal with different audit scopes, you will need several monitoring plans, specifically because of the following technical peculiarities:
- Data collection: Netwrix Auditor starts a separate process for every separate item in every plan, and each process has a RAM limit of 2GB. Note that it isn’t necessary to create numerous monitoring plans – you can add different shares as different items to one plan.
- Reporting: state-in-time reports usually use data provided by one monitoring plan, and if the snapshot is too big, the reports may take hours to compile.
Usually, users simply specify the root location where all of their file shares reside. However, to achieve the two goals mentioned above when processing this massive amount of data, the file shares should be added to the monitoring plans one by one. You may want to automate the process of adding items – for that, it is recommended to contact Netwrix technical support.
Original KB Article 2115