How are collections handled after a network outage on the Netwrix server or when Domain Controllers are offline for some time.
Active Directory Data collections run every 10 minutes (every minute in Netwrix Auditor 9.5 and newer). Assuming that the Domain Controller security logs are not overwritten while the server is off for however long (or cannot connect because of network outage) then the data will be processed as soon as the server is turned back on or network connectivity is restored. However security events are not 100% necessary in order to determine changes and actually security event logs are only used to gather When and Who changed information. Regardless of how long the servers are off/unavailable all changes will be collected on the next successful collection. If the event logs overwrite on the DCs then there will be some changes which show “System” in the ‘Who Changed’ and receive a warning that event log overwrites occurred.
Example; if the security event logs on a domain controller were at the maximum size allowed and were completely full and the oldest event was 7 hours old then that tells me that I can store roughly 7 hours worth of events and that I could have down time of about 7 hours with no security event log information missed.