From f9c6972f9ea8cd95d2e63bb7a2a7d9a2caa61edc Mon Sep 17 00:00:00 2001 From: EP Date: Mon, 13 Oct 2025 10:46:56 +0100 Subject: [PATCH] add-on fixes for linux / privileged --- docs/auditor/10.8/addon/linux/overview.md | 127 ++++++++++++++---- docs/auditor/10.8/addon/linux/parameters.md | 12 +- .../addon/privilegeduserlinux/overview.md | 115 ++++++++++++---- .../addon/privilegeduserlinux/parameters.md | 12 +- 4 files changed, 208 insertions(+), 58 deletions(-) diff --git a/docs/auditor/10.8/addon/linux/overview.md b/docs/auditor/10.8/addon/linux/overview.md index 775fca57d6..223e3c0b04 100644 --- a/docs/auditor/10.8/addon/linux/overview.md +++ b/docs/auditor/10.8/addon/linux/overview.md @@ -6,38 +6,119 @@ sidebar_position: 120 # Linux Generic Syslog -The add-on works in collaboration with Netwrix Auditor, supplying data about activity on your -Linux-based devices. Aggregating data into a single audit trail simplifies analysis, makes activity -monitoring more cost effective, and helps you keep tabs on your IT infrastructure. +The add-on works in collaboration with Netwrix Auditor, supplying data about activity on your Linux-based devices. Aggregating data into a single audit trail simplifies analysis, makes activity monitoring more cost effective, and helps you keep tabs on your IT infrastructure. -Implemented as a service, this add-on facilitates the data transition from Linux-based systems to -Netwrix Auditor. All you have to do is provide connection details and specify parsing rules. +Implemented as a service, this add-on facilitates the data transition from Linux-based systems to Netwrix Auditor. All you have to do is provide connection details and specify parsing rules. On a high level, the add-on works as follows: -**Step 1 –** The add-on listens to the specified UDP ports and captures designated Syslog messages. +**Step 1** – The add-on listens to the specified UDP ports and captures designated Syslog messages. -**Step 2 –** Out of the box, messages from Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise -Server 12, openSUSE42, and Ubuntu 16 are supported. For other distributions, deployment of the -rsyslog package may be required. You can edit the add-on configuration to extend the captured -message list. +**Step 2** – Out of the box, messages from Red Hat Enterprise Linux 6, 7, 8, 9, SUSE Linux Enterprise Server 12, openSUSE 42, and Ubuntu 16 are supported. For other distributions, deployment of the rsyslog package may be required. You can edit the add-on configuration to extend the captured message list. -**Step 3 –** The add-on processes these events into Netwrix Auditor-compatible format (Activity -Records). Each Activity Record contains the user account, action, time, and other details. +**Step 3** – The add-on processes these events into Netwrix Auditor-compatible format (Activity Records). Each Activity Record contains the user account, action, time, and other details. -**Step 4 –** Using the Integration API, the add-on sends the activity records to the Netwrix Auditor -Server, which writes them to the Long-Term Archive and the Audit Database. +**Step 4** – Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server, which writes them to the Long-Term Archive and the Audit Database. -See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure -of the Activity Record and the capabilities of the NIntegration API. +See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Integration API. ## Prerequisites -Before running the add-on, ensure that all the necessary components and policies are configured as -follows: +Before running the add-on, ensure that all the necessary components and policies are configured as follows: -| On... | Ensure that... | -| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Netwrix Auditor Server side | - The Audit Database settings are configured in Auditor Server. - The TCP **9699** port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Contributor role in Auditor. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | -| The computer where the add-on will be installed | - The UDP 514 port is open for inbound connections. **CAUTION:** UPD 514 port can only be used by one service, otherwise the following error will occur: [ERROR] Error occurred when starting the syslog udp listener. Only one usage of each socket address (protocol/network address/port) is normally permitted - .Net Framework [3.5 SP1](http://www.microsoft.com/en-us/download/details.aspx?id=22), [4.0](https://www.microsoft.com/en-us/download/details.aspx?id=17851), [4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653), or [4.6](https://www.microsoft.com/en-us/download/details.aspx?id=48130) is installed. | -| On the target syslog-based platform | Outbound UDP 514 port must be enabled. The **Syslog daemon** must be configured to redirect events. The procedure below explains how to configure redirection. **NOTE:** Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise Server 12, openSUSE 42, and Ubuntu 16 are supported out of the box. For other distributions, deployment of the rsyslog package may be required. - On Red Hat Enterprise Linux 7, perform the following steps: **Step 5 –** Open the **/ etc/ rsyslog.conf** file. **Step 6 –** Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where **name** is a FQDN, Net BIOSname or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format` **Step 7 –** Launch the **RHEL console** and execute the following command: `service rsyslog restart` - On Ubuntu 16, perform the following steps: **Step 1 –** Navigate to the **/ etc/ rsyslog.d/ 50-default.conf** file. **Step 2 –** Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where **name** is a FQDN, Net BIOSname or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format` **Step 3 –** Launch the **UBUNTU console** and execute the following command: `service rsyslog restart` | +### The Netwrix Auditor Server side + +- The Audit Database settings are configured in Auditor Server. +- The TCP **9699** port (default Auditor Integration API port) is open for inbound connections. +- The user retrieving data from the Audit Database is granted the Contributor role in Auditor. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. +- The UDP **514** port is open for inbound connections. + +**CAUTION:** UDP 514 port can only be used by one service, otherwise the following error will occur: + +``` +[ERROR] Error occurred when starting the syslog udp listener. Only one usage of each socket address (protocol/network address/port) is normally permitted +``` + +- .NET Framework [4.7.2](https://www.microsoft.com/en-us/download/details.aspx?id=48130) is installed. + +### On the target syslog-based platform + +- Outbound UDP **514** port must be enabled. +- The **Syslog daemon** must be configured to redirect events. The procedure below explains how to configure redirection. + +**NOTE:** The deployment of the rsyslog package may be required. + +#### Configuration for RHEL 6-8 Linux Server + +**Step 1** – Ensure that rsyslog is installed. If not, install it using the following command: + +```bash +sudo yum install rsyslog +``` + +**Step 2** – Open the `/etc/rsyslog.conf` file. + +**Step 3** – Add the following line: + +``` +auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format +``` + +where **name** is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. + +For example: + +``` +auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format +``` + +**Step 4** – Save the file and restart the rsyslog service: + +```bash +sudo service rsyslog restart +``` + +To verify the service is running: + +```bash +sudo service rsyslog status +``` + +#### Configuration for Ubuntu and RHEL 9+ + +**Step 1** – Ensure that rsyslog is installed. If not, install it using the appropriate command: + +For Ubuntu/Debian: + +```bash +sudo apt-get update +sudo apt-get install rsyslog +``` + +For RHEL 9+: + +```bash +sudo dnf install rsyslog +``` + +**Step 2** – Navigate to the `/etc/rsyslog.d/50-default.conf` file. + +**Step 3** – Add the following line: + +``` +auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format +``` + +where **name** is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. + +For example: + +``` +auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format +``` + +**Step 4** – Save the file and restart the rsyslog service: + +```bash +sudo systemctl restart rsyslog +``` diff --git a/docs/auditor/10.8/addon/linux/parameters.md b/docs/auditor/10.8/addon/linux/parameters.md index 370912a9ca..f46f0f4ac8 100644 --- a/docs/auditor/10.8/addon/linux/parameters.md +++ b/docs/auditor/10.8/addon/linux/parameters.md @@ -16,14 +16,14 @@ Click **Proceed** and complete the following fields: | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Specify General Settings | | | Listed UDP port | Specify UDP port for listening incoming events. (**514** by default). | -| Auditor Endpoint | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hostingAuditor Server and uses default port _9699_. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15_, _EnterpriseNAServer_, _WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.ent erprise.local:9999_). Do not modify the endpoint part (_/ netwrix/ api_ ) | -| Certificate Thumbprint | Netwrix Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check Auditor certificate via Windows Certificate Store. - `AB:BB:CC`—Check Auditor Server certificate thumbprint identifier. - `NOCHECK`—Do not check Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. | +| Netwrix Auditor Endpoint | Netwrix Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hosting Netwrix Auditor Server and uses default port _9699_. To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.ent erprise.local:9999_). Do not modify the endpoint part (_/netwrix/api_ ) | +| Certificate Thumbprint | Possible values:
- `Empty`— Check Auditor certificate via Windows Certificate Store.
- `AB:BB:CC`— Check Auditor Server certificate thumbprint identifier.
- `NOCHECK`— Do not check Auditor certificate.
Make sure to select this parameter if you plan to specify servers by their IP. | | Specify Active Directory credentials | | -| Username | Provide the name of the account under which the service runs. Unless specified, the service runs under the account currently logged on. | +| Username | Specify the account under which the service will authenticate to the **Netwrix_Auditor_API**. | | Password | Provide the password for the selected account. | -| Auditor Monitoring Plan settings | | -| Auditor Plan | Unless specified, data is written to **Netwrix_Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add- on, make sure a dedicated plan is created in Auditor, the Netwrix **API** data source is added to the plan and enabled for monitoring. Otherwise, the add- on will not be able to write data to the Audit Database. | -| Auditor Plan Item | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item inAuditor in advance. | +| Monitoring Plan settings | | +| Monitoring Plan | Unless specified, data is written to **Netwrix_Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add- on, make sure a dedicated plan is created, the Netwrix **API** data source is added to the plan and enabled for monitoring. Otherwise, the add- on will not be able to write data to the Audit Database. | +| Monitoring Plan Item | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item inAuditor in advance. | | Accept List | | | Address | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. | diff --git a/docs/auditor/10.8/addon/privilegeduserlinux/overview.md b/docs/auditor/10.8/addon/privilegeduserlinux/overview.md index db66bfffc3..79a7524227 100644 --- a/docs/auditor/10.8/addon/privilegeduserlinux/overview.md +++ b/docs/auditor/10.8/addon/privilegeduserlinux/overview.md @@ -6,36 +6,105 @@ sidebar_position: 170 # Privileged User Monitoring on Linux and Unix Systems -The add-on works in collaboration with Auditor, supplying data about privileged user activity on -Linux and Unix. Aggregating data into a single audit trail simplifies analysis, makes activity -monitoring more cost effective, and helps you keep tabs on privilege elevation on your Linux and -Unix-based devices. For example, it helps monitor the usage of SUDO as well as remote access with -openSSH. +The add-on works in collaboration with Auditor, supplying data about privileged user activity on Linux and Unix. Aggregating data into a single audit trail simplifies analysis, makes activity monitoring more cost effective, and helps you keep tabs on privilege elevation on your Linux and Unix-based devices. For example, it helps monitor the usage of SUDO as well as remote access with openSSH. On a high level, the add-on works as follows: -1. The add-on listens to the specified UDP ports and captures designated Syslog messages. +**Step 1** – The add-on listens to the specified UDP ports and captures designated Syslog messages. - Out of the box, messages from Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise Server 12, - openSUSE 42, and Ubuntu 16 are supported. For other distributions, deployment of the rsyslog - package may be required. You can edit the add-on configuration to extend the captured message - list. +**Step 2** – Out of the box, messages from Red Hat Enterprise Linux 6, 7, 8, 9, SUSE Linux Enterprise Server 12, openSUSE 42, and Ubuntu 16 are supported. For other distributions, deployment of the rsyslog package may be required. You can edit the add-on configuration to extend the captured message list. -2. The add-on processes these events into Auditor-compatible format (Activity Records). Each - Activity Record contains the user account, action, time, and other details. -3. Using the Integration API, the add-on sends the activity records Auditor Server, which writes - them to the Long-Term Archive and the Audit Database. +**Step 3** – The add-on processes these events into Netwrix Auditor-compatible format (Activity Records). Each Activity Record contains the user account, action, time, and other details. + +**Step 4** – Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server, which writes them to the Long-Term Archive and the Audit Database. + +See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Integration API. ## Prerequisites -Before running the add-on, ensure that all the necessary components and policies are configured as -follows: +Before running the add-on, ensure that all the necessary components and policies are configured as follows: + +### The Netwrix Auditor Server side + +- The Audit Database settings are configured in Auditor Server. +- The TCP **9699** port (default Auditor Integration API port) is open for inbound connections. +- The user retrieving data from the Audit Database is granted the Contributor role in Auditor. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. +- The UDP **514** port is open for inbound connections. + +**CAUTION:** UDP 514 port can only be used by one service, otherwise the following error will occur: + +``` +[ERROR] Error occurred when starting the syslog udp listener. Only one usage of each socket address (protocol/network address/port) is normally permitted +``` + +- .NET Framework [4.7.2](https://www.microsoft.com/en-us/download/details.aspx?id=48130) is installed. + +### On the target syslog-based platform + +- Outbound UDP **514** port must be enabled. +- The **Syslog daemon** must be configured to redirect events. The procedure below explains how to configure redirection. + +**NOTE:** The deployment of the rsyslog package may be required. + +#### Configuration for RHEL 6-8 Linux Server + +**Step 1** – Open the `/etc/rsyslog.conf` file. + +**Step 2** – Add the following line: + +``` +auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format +``` + +where **name** is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. + +For example: + +``` +auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format +``` + +**Step 3** – Launch the **console** and execute the following command: + +```bash +service rsyslog restart +``` + +#### Configuration for Ubuntu and RHEL 9+ + +**Step 1** – Ensure that rsyslog is installed. If not, install it using the appropriate command: + +For Ubuntu/Debian: + +```bash +sudo apt-get update +sudo apt-get install rsyslog +``` + +For RHEL 9+: + +```bash +sudo dnf install rsyslog +``` + +**Step 2** – Navigate to the `/etc/rsyslog.d/50-default.conf` file. + +**Step 3** – Add the following line: + +``` +auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format +``` + +where **name** is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. + +For example: + +``` +auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format +``` -| On... | Ensure that... | -| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. | -| The computer where the service will be installed | - The UDP 514 port is open for inbound connections. - .Net Framework 4.7.2 and above is installed. Review the following Microsoft technical article for additional information on how to install .Net Framework 4.7.2: [Microsoft .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2). | -| The target syslog-based platform | The **Syslog daemon** is configured to redirect events. The procedure below explains how to configure redirection: **NOTE:** Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise Server 12, openSUSE 42, and Ubuntu 16 are supported out of the box. For other distributions, deployment of rsyslog package may be required. - On Red Hat Enterprise Linux 7: 1. Open the **/etc/rsyslog.conf** file. 2. Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where `name `is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_ SyslogProtocol23Format` 3. Launch the **RHEL console** and execute the following command: `service rsyslog restart`. - On Ubuntu 16: 1. Navigate to the **/etc/rsyslog.d/50-default.conf** file. 2. Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where `name `is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_ SyslogProtocol23Format` 3. Launch the **UBUNTU console** and execute the following command: `service rsyslog restart`. | +**Step 4** – Save the file and restart the rsyslog service: -See the the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the -structure of the Activity Record and the capabilities of the Integration API +```bash +sudo systemctl restart rsyslog +``` diff --git a/docs/auditor/10.8/addon/privilegeduserlinux/parameters.md b/docs/auditor/10.8/addon/privilegeduserlinux/parameters.md index b1ac95042d..1aee5d1559 100644 --- a/docs/auditor/10.8/addon/privilegeduserlinux/parameters.md +++ b/docs/auditor/10.8/addon/privilegeduserlinux/parameters.md @@ -16,14 +16,14 @@ Click **Proceed** and complete the following fields: | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Specify General Settings | | | Listed UDP port | Specify UDP port for listening incoming events. (**514** by default). | -| Auditor Endpoint | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hostingAuditor Server and uses default port _9699_. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15_, _EnterpriseNAServer_, _WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.ent erprise.local:9999_). Do not modify the endpoint part (_/ netwrix/ api_ ) | -| Certificate Thumbprint | Netwrix Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check Auditor certificate via Windows Certificate Store. - `AB:BB:CC`—Check Auditor Server certificate thumbprint identifier. - `NOCHECK`—Do not check Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. | +| Netwrix Auditor Endpoint | Netwrix Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hosting Netwrix Auditor Server and uses default port _9699_. To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.ent erprise.local:9999_). Do not modify the endpoint part (_/netwrix/api_ ) | +| Certificate Thumbprint | Possible values:
- `Empty`— Check Auditor certificate via Windows Certificate Store.
- `AB:BB:CC`— Check Auditor Server certificate thumbprint identifier.
- `NOCHECK`— Do not check Auditor certificate.
Make sure to select this parameter if you plan to specify servers by their IP. | | Specify Active Directory credentials | | -| Username | Provide the name of the account under which the service runs. Unless specified, the service runs under the account currently logged on. | +| Username | Specify the account under which the service will authenticate to the **Netwrix_Auditor_API**. | | Password | Provide the password for the selected account. | -| Auditor Monitoring Plan settings | | -| Auditor Plan | Unless specified, data is written to **Netwrix_Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add- on, make sure a dedicated plan is created in Auditor, the Netwrix **API** data source is added to the plan and enabled for monitoring. Otherwise, the add- on will not be able to write data to the Audit Database. | -| Auditor Plan Item | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item inAuditor in advance. | +| Monitoring Plan settings | | +| Monitoring Plan | Unless specified, data is written to **Netwrix_Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add- on, make sure a dedicated plan is created, the Netwrix **API** data source is added to the plan and enabled for monitoring. Otherwise, the add- on will not be able to write data to the Audit Database. | +| Monitoring Plan Item | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item inAuditor in advance. | | Accept List | | | Address | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. |