How are collections handled after a network outage?

Email It to Me Print this Page
Question How are collections handled after a network outage on the Netwrix server or when Domain Controllers are offline for some time.
Answer Active Directory Data collections run every 10 minutes (every minute in Netwrix Auditor 9.5 and newer). Assuming that the Domain Controller security logs are not overwritten while the server is off for however long (or cannot connect because of network outage) then the data will be processed as soon as the server is turned back on or network connectivity is restored. However security events are not 100% necessary in order to determine changes and actually security event logs are only used to gather When and Who changed information. So regardless of how long the servers are off/unavailable all changes will be grabbed on the next successful collection. If the event logs overwrite on the DCs then there will just be some changes which show System in the Who Changed and you will get a warning that event log overwrites occurred.

So for example if the security event logs on my domain controller were at the maximum size allowed and were completely full and the oldest event was 7 hours old then that tells me that I can store roughly 7 hours worth of events and that I could have down time of about 7 hours with no security event log information missed.

If the domain controllers security logs fill up very quickly then the size can either be increased OR the logs can be archived and Netwrix can process the archived logs and delete them for you (
Was this information helpful?