When Audit Server performs the scheduled collection of audit data records from the machines indicated on the Audit List, it collects the individual audit records into data files saved in the folder specified here (known as the Local Cache). Data files remain in the Local Cache for the length of time specified in the Cache Retention section.
 Cache Retention The Local Cache is primarily intended as temporary storage for audit records which are eventually to be transferred to permanent offline archival. The local copies of the audit records can be retained indefinitely, or automatically deleted after a set period.
Keep in mind that without automatic deletion, audit data will accumulate at a rate based on the number of machines included and how often they are audited. Once you have begun auditing, it's a good idea to check to see how fast the data is growing and to occasionally check to be sure you have allocated enough disk space to accommodate the data (or manually move the records to offline storage). You can use the Audit Space Estimator to calculate how much disk space the audit data will require based on your rate of audits and the number of machines audited. Cache Location This section allows you to specify the disk folder where you wish the Local Cache to be stored.
If you must, you may indicate any valid UNC path to store the Local Cache files on a remote machine, however, be aware that should the remote machine become unavailable for any reason, audit data collected during that period will be irretrievably lost.
Important Note: Folder permissions should be set so that only the Audit Server service account (usually System) has Full Control. Administrators should be set to Read-Only, and everyone else should be denied access entirely. You may also wish use the Windows operating system level auditing to monitor the Local Cache folder for unauthorized changes. Audit Server includes a program called DTREADER.EXE. DTReader is automatically associated with files having the extension .dtad (DT Audit Data) during the installation of Audit Server. DTReader is used to view Audit Server data files whether from the Local Cache or retrieved from any other storage location. You may copy the program to any machine from which you'd like to view audit records. Note: DTREADER.EXE does not function on Windows Server Core systems. To view sync logs collected by Audit Server on Server Core systems, you must copy the DTREADER.EXE utility from the /System32 folder to a non-Core system and use it from there to view the .dtad audit records through a network share on the Core machine. When you click the View Audits button, the control panel applet launches DTReader to let you select and view files from your local cache.
 Audit record details using the View Audits function
 Proceed to the Advanced Settings page Back to the Alerts & Logs page
|