Agentless Data Collection vs. Non-Intrusive Agents

Start Using Netwrix Auditor for Active Directory:

Download your free 20-day trial

Organizations that span multiple locations often struggle to take appropriate security measures across all of them using minimal bandwidth and without disrupting system stability. Native auditing isn’t an option in this case because it relies on agentless data collection, which significantly increases network traffic.

Many well-known commercial IT auditing software solutions frequently used in these situations gather data from Active Directory through either an agentless deployment using native event logs, which lack some data critical for meeting security requirements, or via proprietary data collection software agents installed locally on domain controllers.

These traditional agent-based approaches often completely displace native auditing and require the installation of agents on every domain controller. These agents collect audit data and funnel it to a central server for reporting, storage and other functions. In contrast to the agent-free approach, injecting intrusive agents into domain controller and operating system core can cause critical errors and lead to unexpected domain controller crashes.

Moreover, this agent-based approach includes data fetch that often goes undocumented. This tampering and modification of standard operating system functions can lead to denial of support from Microsoft. Such a situation would never happen with an agent-free approach.

Netwrix Auditor supports two modes of operation. Agentless data collection is offered by default. However, an organization can opt to use lightweight, non-intrusive agents, which provide network traffic compression and save bandwidth without tampering with core domain controller or operating system functions. The agents collect audit data locally on domain controllers, filter for the relevant records only, compress the data and then send it to the Netwrix Auditor server.

Together, this filtering and network traffic compression reduce the amount of information transferred over the network 100 times. Therefore, the use of non-intrusive agent-based mode is recommended for distributed infrastructures with more than one Active Directory site. If domain controllers are located in different sites and the connection between these sites is unstable or has limited bandwidth, it’s important to reduce network traffic in order to optimize bandwidth utilization.

In non-distributed IT environments saving bandwidth is not as critical; therefore, the collection and processing of audit data can be performed without installing agents on domain controllers. One of the advantages of the agentless data collection offered by Netwrix Auditor is that it leverages information from native event logs. The product retrieves event log entries from audited systems as they are created and stores copies of them in a central location.

In addition to the native logs, the product also collects and consolidates data from multiple other sources (configuration snapshots, change history records, etc.). As a result, its agentless data collection delivers the most detailed information and ensures audit data integrity, even if required data is missed in one or several sources.