You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

02: How to use Netwrix Auditor to Report on PolicyPak events

By following this guide you will be able to generate reports for interesting events from the PolicyPak event logs that you can then use to create LPM policies as needed.


Policy created in LPM using the report details above.

Getting Started:

In order to receive PolicyPak reports for events via Netwrix Auditor, you will need to complete the following steps:

  1. Creating a monitoring plan for PolicyPak events
  2. Configuring sources, filters, events, database settings;
  3. Optional: configure alerts.

Note: You must have Netwrix PolicyPak Client-Side extension installed on Netwrix Auditor configuration machine to be able to see and select the event definitions for PolicyPak events. Also, Remote Registry service should be enabled on machines where events occur!

1. Creating a monitoring plan for PolicyPak events

Navigate to Start → Netwrix Auditor → Netwrix Auditor Event Log Manager.

On the main page, you will be prompted to select a monitoring plan. Click Add to add new plan.

  1. Give the new plan a descriptive name and Enable event log collection. Then add a Notification recipient email address, you can specify one or several email addresses for users to receive daily Event Log collection status notifications. Use semicolon to separate several addresses.

  2. Next, under the General tab enter credentials for the account that will be used to collect data from the endpoints, use an account that has local admin rights on the endpoints, and one that can also read Active directory. Then click the Add button next to the Monitored computers section.

  3. Next, choose how you would like add monitored computers, either by Computer name, by Active Directory container, or via IP Range.

    Add the computers that you want to audit, either by Computer name, by Active Directory container, or via IP Range. Note: You can add multiple types of computer items to your monitoring plan.

  4. Under the Notifications tab you can configure SMTP settings.

  5. Under the Audit Database tab you can review and verify your database settings. Netwrix Auditor Event Log Manager synchronizes Audit Database and reports settings with the default Audit Database configuration from Netwrix Auditor Server. If this option is disabled, contact your Netwrix Auditor Global administrator and make sure that these settings are properly configured in Netwrix Auditor Server. More information about Audit Database configuration can be found here:

  6. In Advanced tab you can check Network traffic compression is enabled (recommended). Also, you can specify the notification delivery time.

  7. The next step is to filter out the desired events and get them into the Netwrix Auditor Reports.

    To do so, let’s get back to General tab and configure Audit archiving filters.

  8. Once there, you can add the filtering in Inclusive filters section. Click Add to proceed.

    In the next window, we need to specify the following parameters:

    • Filter name
    • Description for the filter
    • Event log – here we need to type in “PolicyPak” manually as it is not available in the drop down list.
    • Write to – here you can select the location to store filtered events, either a long-term archive or database. It is recommended to use both locations.

  9. Depending on targeted events, in the Event Fields tab you may enlist the event IDs to capture.

    Please refer to our KB article with event IDs -

    For example, here is the list of event IDs related to PolicyPak Least Privilege Manager Global Audit events:

    You may adjust the settings in Events Fields filtering section up to your needs.

    Once the configuration is done, you may click OK and save all your progress so far.

  10. Return back to the main monitoring plan configuration window for Netwrix Auditor Event Log Manager, click  Configure under alerts filtering:

    Then click add to add a new alert.

  11. At the next window you add alerts for any event IDs as needed using the screenshots below as a guide.
    Note: There is no need to configure anything under the Insertion Strings tab at this time.

    Single Event Alert Example:

    Group of Specific Events Alert Example:

    This is all the configuration required for Netwrix Auditor Event Log Manager to report on PolicyPak Events.

  12. Now, if you would like to review the event log reports, start the Netwrix Auditor software and go to Reports section. There, navigate to the following report path: Predefined -> Windows Server -> Event Log -> All events by Computer and click View.

    Here you can specify the conditions and filters to represent in the report, such as date range, Event level etc.

    Note: You can click on the interactive link in the Date column to see details of occurred event:

  • 1325
  • 03-Apr-2024