Requirements
This topic describes the recommended configuration of the servers needed to install the application in a production environment. Depending on the size of the organization, it is recommended to review your environment and requirements with a Netwrix engineer prior to deployment to ensure all exceptions are covered.
Architecture Overview
The following servers are required for installation of the application:
Core Component
-
Activity Monitor Console Server – This is where the v7.1 application is installed.
NOTE: The Activity Monitor Console can be hosted on the same machine as other Netwrix products.
-
Agents – There are three types of agents that are deployed in the target environment used to monitor activity:
- Activity Agent – The Activity Agent is installed on Windows servers to monitor Microsoft Entra ID, Network Attached Storage (NAS) devices, SharePoint farms, SharePoint Online, SQL Server, and Windows file servers. See the Activity Agent Server Requirements topic for additional information.
- AD Agent – The AD Agent is deployed to every domain controllers to monitor Active Directory domains. See the AD Agent Server Requirements topic for additional information.
- Linux Agent – The Linux Agent is deployed to Linux servers to be monitored. See the Linux Agent Server Requirements topic for additional information.
Target Environment Considerations
The target environment encompasses all servers, devices, or infrastructure to be monitored by Activity Monitor. Most solutions have additional target requirements.
Activity Monitor Console Machine Requirements
The machine can be a Windows Server or desktop, as well as physical or virtual. The following Windows Server operating systems are supported:
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
The following Windows desktop operating systems are supported:
- Windows 11
- Windows 10
RAM, Processor, and Disk Space
- RAM – 1 GB minimum
- Processor – x64
- Disk Space – 1 GB minimum
Additional Machine Requirements
The following are additional requirements for the Console machine:
- .NET Framework 4.7.2 installed, which can be downloaded from the link in the Microsoft .NET Framework 4.7.2 offline installer for Windows article
Permissions for Installation
The following permission is required to install and use the application:
- Membership in the local Administrators group for the Activity Monitor Console server
Activity Agent Server Requirements
The Activity Agent is installed on Windows servers to monitor Microsoft Entra ID, Network Attached Storage (NAS) devices, SharePoint farms, SharePoint Online, SQL Server, and Windows file servers. The server where the agent is deployed can be physical or virtual. The supported operating systems are:
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
RAM, Processor, and Disk Space
- RAM – 4 GB minimum
- Processor – x64. 4+ cores recommended; 2 cores minimum
- Disk Space – 1 GB minimum plus additional space needed for activity log files
- Network – a fast low-latency connection to the monitored platforms (file servers, SQL Server), preferably the same data center
NOTE: Disk usage depends on the monitoring scope, user activity, types of client applications, and the retention settings. Number of events per user per day may vary from tens to millions. A single file system event is roughly 300 bytes.
Old files are zipped, typical compression ratio is 20. Optionally, old files are moved from the server to a network share. See the Archiving Tab topic for additional information.
Additional Server Requirements
The following are additional requirements for the agent server:
- .NET Framework 4.7.2 installed, which can be downloaded from the link in the Microsoft .NET Framework 4.7.2 offline installer for Windows article
- WMI enabled on the machine, which is optional but required for centralized Agent maintenance
- Remote Registry Service enabled
- For monitoring Dell devices, Dell CEE (Common Event Enabler) installed
Permissions for Installation
The following permission is required to install and manage the agent:
- Membership in the local Administrators group
- READ and WRITE access to the archive location for Archiving feature only
Activity Agent Ports
See the Activity Agent Ports topic for firewall port requirements.
Supported Exchange Online
The Activity Monitor provides the ability to monitor Exchange Online:
NOTE: For monitoring Exchange Online, the Activity Agent must be deployed to a Windows server that acts as a proxy for monitoring the target environment.
- Exchange Online
See the Exchange Online Activity Auditing Configuration topic for target environment requirements.
Supported Microsoft Entra ID
The Activity Monitor provides the ability to monitor Microsoft Entra ID:
NOTE: For monitoring Microsoft Entra ID, the Activity Agent must be deployed to a Windows server that acts as a proxy for monitoring the target environment.
- Microsoft Entra ID (formerly Azure AD)
See the Microsoft Entra ID Activity Auditing Configuration topic for target environment requirements.
Supported Network Attached Storage Devices
The Activity Monitor provides the ability to monitor NAS file server devices:
NOTE: For monitoring NAS devices, the Activity Agent must be deployed to a Windows server that acts as a proxy for monitoring the target environment.
Dell Celerra® & VNX
- Celerra 6.0+
- VNX 7.1
- VNX 8.1
See the Dell Celerra & Dell VNX Activity Auditing Configuration topic for target environment requirements.
Dell Isilon/PowerScale
- 7.0+
See the Dell Isilon/PowerScale Activity Auditing Configuration topic for target environment requirements.
Dell PowerStore®
See the Dell PowerStore Activity Auditing Configuration topic for target environment requirements.
Dell Unity
See the Dell Unity Activity Auditing Configuration topic for target environment requirements.
Hitachi
- 11.2+
See the Hitachi Activity Auditing Configuration topic for target environment requirements.
Nasuni Nasuni Edge Appliances
- 8.0+
See the Nasuni Edge Appliance Activity Auditing Configuration topic for target environment requirements.
NetApp Data ONTAP
-
7-Mode 7.3+
-
Cluster-Mode 8.2+
NOTE: The Resiliency feature introduced in ONTAP 9.0 is not supported.
See the following topics for target environment requirements:
- NetApp Data ONTAP 7-Mode Activity Auditing Configuration
- NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration
Nutanix
See the Nutanix Activity Auditing Configuration topic for target environment requirements.
Panzura
See the Panzura CloudFS Monitoring topic for target environment requirements.
Qumulo
- Qumulo Core 5.0.0.1B+
See the Qumulo Activity Auditing Configuration topic for target environment requirements.
Supported SharePoint Farms Platforms
The Activity Monitor provides the ability to monitor SharePoint farms:
NOTE: For monitoring a SharePoint farm, the Activity Agent must be deployed to the SharePoint Application server that hosts the “Central Administration” component of the SharePoint farm.
-
SharePoint® 2019
-
SharePoint® 2016
-
SharePoint® 2013
-
SharePoint® Server Subscription Edition
See the SharePoint On-Premise Activity Auditing Configuration topic for target environment requirements.
Supported SharePoint Online
The Activity Monitor provides the ability to monitor SharePoint Online:
NOTE: For monitoring SharePoint Online, the Activity Agent must be deployed to a Windows server that acts as a proxy for monitoring the target environment.
- SharePoint Online®
See the SharePoint Online Activity Auditing Configuration topic for target environment requirements.
Supported SQL Server Platforms
The Activity Monitor provides the ability to monitor SQL Server:
NOTE: For monitoring SQL Server, it is recommended to install the Activity Agent must be deployed to a Windows server that acts as a proxy for monitoring the target environment.
-
SQL Server 2022
-
SQL Server 2019
-
SQL Server 2017
-
SQL Server 2016
-
SQL Server 2014
-
SQL Server 2012
See the SQL Server Activity Auditing Configuration topic for target environment requirements.
Supported Windows File Servers Platforms
The Activity Monitor provides the ability to monitor Windows file servers:
NOTE: For monitoring a Windows file server, the Activity Agent must be deployed to the server. It cannot be deployed to a proxy server.
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
See the Windows File Server Activity Auditing Configuration topic for target environment requirements.
Activity Agent Ports
Firewall settings depend on the type of environment being targeted. The following firewall settings are required for communication between the Agent server and the Netwrix Activity Monitor Console:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Activity Monitor to Agent Server | TCP | 4498 | Agent Communication |
The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft Connecting to WMI on a Remote Computer article.
There might be a need for additional ports for the target environment.
Dell Celerra & Dell VNX Devices Additional Firewall Rules
The following firewall settings are required for communication between the CEE server/ Activity Monitor Activity Agent server and the target Dell device:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
Dell Isilon/PowerScale Devices Additional Firewall Rules
The following firewall settings are required for communication between the CEE server/ Activity Monitor Activity Agent server and the target Dell Isilon/PowerScale device:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Dell Isilon/PowerScale to CEE Server | TCP | TCP 12228 | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
Dell PowerStore Devices Additional Firewall Rules
The following firewall settings are required for communication between the CEE server/ Activity Monitor Activity Agent server and the target Dell device:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
Dell Unity Devices Additional Firewall Rules
The following firewall settings are required for communication between the CEE server/ Activity Monitor Activity Agent server and the target Dell device:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
Exchange Online Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target tenant:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Office 365 API |
Microsoft Entra ID Tenant Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target tenant:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Office 365 API |
Nasuni Edge Appliance Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target Nasuni Edge Appliance:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Agent Server to Nasuni | HTTPS | 8443 | Nasuni API calls |
| Nasuni to Activity Agent Server | AMQP over TCP | 5671 | Nasuni event reporting |
NetApp Data ONTAP 7-Mode Device Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target NetApp Data ONTAP 7-Mode device:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Activity Agent Server to NetApp* | HTTP (optional) | 80 | ONTAPI |
| Activity Agent Server to NetApp* | HTTPS (optional) | 443 | ONTAPI |
| Activity Agent Server to NetApp | TCP | 135, 139 Dynamic Range (49152-65535) | RPC |
| Activity Agent Server to NetApp | TCP | 445 | SMB |
| Activity Agent Server to NetApp | UDP | 137, 138 | RPC |
| NetApp to Activity Agent Server | TCP | 135, 139 Dynamic Range (49152-65535) | RPC |
| NetApp to Activity Agent Server | TCP | 445 | SMB |
| NetApp to Activity Agent Server | UDP | 137, 138 | RPC |
*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options in Activity Monitor.
NOTE: If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode device must be configured manually. Also, the External Engine will not reconnect automatically in the case of a server reboot or service restart.
NetApp Data ONTAP Cluster-Mode Device Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target NetApp Data ONTAP Cluster-Mode device:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Activity Agent Server to NetApp* | HTTP (optional) | 80 | ONTAPI |
| Activity Agent Server to NetApp* | HTTPS (optional) | 443 | ONTAPI |
| NetApp to Activity Agent Server | TCP | 9999 | FPolicy events |
*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options in Activity Monitor.
NOTE: If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode device must be configured manually. Also, the External Engine will not reconnect automatically in the case of a server reboot or service restart.
Nutanix Devices Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target Nutanix device:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Activity Agent Server to Nutanix | TCP | 9440 | Nutanix API |
| Nutanix to Activity Agent Server | TCP | 4501 | Nutanix Event Reporting |
Protect the port with a username and password. The credentials will be configured in Nutanix.
Panzura Devices Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target Panzura device:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Activity Agent Server to Panzura | HTTPS | 443 | Panzura API |
| Panzura filers to to Activity Agent Server | AMQP over TCP | 4497 | Panzura Event Reporting |
Protect the port with a username and password. The credentials will be configured in Panzura.
Qumulo Devices Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target Qumulo device:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Activity Agent Server to Qumulo | TCP | 8000 | Qumulo API |
| Qumulo to Activity Agent Server | TCP | 4496 | Qumulo Event Reporting |
Protect the port with a username and password. The credentials will be configured in Qumulo.
SharePoint Online Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target tenant:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Office 365 API |
SQL Server Additional Firewall Rules
The following firewall settings are required for communication between the Activity Monitor Activity Agent server and the target SQL Server:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| SQL Server to Activity Agent Server | TCP | 1433 | Default SQL Server Port |
If the Activity Monitor cannot connect to the SQL Server, ensure that SQL Server Browsing state is Running.
Integration with Netwrix Enterprise Auditor Additional Firewall Rules
Firewall settings are dependent upon the type of environment being targeted. The following firewall settings are required for communication between the agent server and the Enterprise Auditor Console:
| Communication Direction | Protocol | Ports | Description |
|---|---|---|---|
| Enterprise Auditor to Agent Server | TCP | 445 | SMB, used for Agent Deployment |
| Enterprise Auditor to Agent Server | TCP | Predefined | WMI, used for Agent Deployment |
AD Agent Server Requirements
Active Directory (AD) monitoring can be accomplished through two primary methods:
- Activity Monitor Agents with the AD Module
- Retrieving activity data from Netwrix Threat Prevention
Both approaches require the installation of agents on each domain controller within the monitored domain and are compatible with Netwrix Enterprise Auditor and Netwrix Threat Manager, feeding them AD activity data.
Activity Monitor Agents: This option focuses solely on monitoring AD activity, providing basic visibility into AD events without additional features.
Netwrix Threat Prevention: Offers a more comprehensive and flexible monitoring experience, including advanced features like operation blocking and enhanced monitoring capabilities.
These methods provide organizations with a choice between basic AD activity monitoring and a more versatile, security-enhanced option.
Activity Monitor and Threat Prevention Compatibility Matrix
| Activity Monitor Version | Threat Prevention (formerly Stealth Intercept) Version | Threat Prevention Version |
|---|---|---|
| 7.1 | 7.3 | 7.4 |
| 7.0 | 7.3 |
Requirements
The AD Agent is deployed to every domain controllers to monitor Active Directory domains. The server can be physical or virtual. The supported operating systems are:
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
RAM, Cores, and Disk Space
These depend on the amount of activity expected:
| Environment | Recommended | Minimum |
|---|---|---|
| RAM | 8+ GB | 4+ GB |
| Cores | 4+ CPU | 2 CPU |
| Disk Space | 50 GB | 50 GB |
The disk space requirement covers the following:
- Agent Size – 150 MB
- Agent Queues – In the event of a network outage, the agent will cache up to 40 GB of event data
- Diagnostic Logging – 1 GB
Old files are zipped, typical compression ratio is 20. Optionally, old files are moved from the server to a network share. See the Archiving Tab topic for additional information.
Additional Server Requirements
The following are additional requirements for the agent server:
- .NET Framework 4.7.2 installed, which can be downloaded from the link in the Microsoft .NET Framework 4.7.2 offline installer for Windows article
- WMI enabled on the machine, which is optional but required for centralized Agent maintenance
Permissions for Installation
The following permission is required to install and manage the agent:
- Membership in the Domain Administrators group
- READ and WRITE access to the archive location for Archiving feature only
Supported Active Directory Platforms
The Activity Monitor provides the ability to monitor Active Directory:
NOTE: For monitoring an Active Directory domain, the AD Agent must be installed on all domain controllers within the domain to be monitored.
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
See the Active Directory Activity Auditing Configuration topic for target environment requirements.
AD Agent Compatibility with Non-Netwrix Security Products
The following products conflict with the agent:
CAUTION: Do not install these products on a server where an agent is deployed. Do NOT install an agent on a server where these products are installed.
- Quest Change Auditor (aka Dell ChangeAuditor)
- PowerBroker Auditor for Active Directory by BeyondTrust
The following products, which protect LSASS, may prevent the agent from injecting into LSASS, and thereby prevent monitoring Active Directory events:
-
Cisco AMP for Endpoints Connector
-
Avast Business Antivirus
- Specifically the “Avast self-defense module”
NOTE: These products and other similar products can be configured via a whitelist to allow the agent to operate.
Linux Agent Server Requirements
The server where the agent is deployed can be physical or virtual. The supported operating systems are:
-
Red Hat Enterprise Linux
- V 9.x
- V 8.x
-
Activity Monitor supports RHEL kernels in FIPS mode compliant with FIPS 140-2 and FIPS 140-3.
Target Requirements
NOTE: For monitoring a Linux file server, the The Linux Agent is deployed to Linux servers to be monitored. It cannot be deployed to a proxy server.
Supported Protocols
The following protocols are supported for the Linux agent:
- Local
- Common Internet File System (CIFS) / Server Message Block (SMB)
- Network File System (Mounted Client-Side)
NOTE: Server-Side NFS protocol is not supported.
Permissions for Installation
The following permission is required by the account used to install and manage the agent:
- Root privileges with password (or SSH private key)
For integration between the Activity Monitor and Enterprise Auditor, the credential used by Enterprise Auditor to read the activity log files must have also have this permission.
Immutable Mode
For file activity monitoring on Linux, Activity Monitor relies on auditd component of the Linux
Auditing System. One of the features of auditd is the immutable mode or -e 2 command, which
locks the audit configuration and protects it from being changed. When the immutable mode is
enabled, the only way to change the auditing configuration is to reboot the server.
To check if the immutable mode is enabled, use the auditctl -s command. If the immutable mode is
active, the command will print enabled 2. Alternatively, check for the -e 2 line in the
/etc/audit/rules.d/audit.rules file.
Activity Monitor supports the immutable mode. It compares the current auditd configuration with the desired one. If they differ and the immutable mode is enabled, the product displays a warning that a server restart is required in the status section of the Monitored Hosts tab. After the reboot, the changes take effect and the immutable mode is enabled.