I really like Netwrix Auditor, but lately, I’ve been having an issue with seeing read actions from SharePoint. Has anyone else encountered issues with reading read audits from an on-premise SharePoint farm? We currently have SharePoint Subscription Edition deployed, which is based on a SharePoint 2019 server.
Netwrix is able to see audit data such as when a user has added, removed, or modified an item on the SharePoint site, but no read actions are visible. From the SharePoint Central Administration, it is possible to export auditing reports which show the read actions from a user, but it’s strange that it doesn’t show this in the Netwrix Auditor.
Step 4 - in the List, Libraries, and Sites section, where you should select Editing users and permissions. NOTE: Enable “Opening or downloading documents, viewing items in lists, or viewing item properties” for read access auditing.
This option is not available to configure. I am looking for an option to enable read access auditing for the whole site collection.
I think it’s not possible to see the read audits anymore, but correct me if I am wrong. What things could I have overlooked with the configuration?
The monitoring plan has the following settings:
Service account is in use, allowed to
Automatic deployment of SharePoint core service
Monitors entire SharePoint farm for permissions and content changes
Nice to meet you and welcome to the Netwrix Community.
I can certainly confirm that SharePoint Subscription Edition is supported in Netwrix Auditor and is based upon SP 2019 edition, looking at the configuration settings you have enabled the ‘Automatic Configuration’ required for ‘Read’ actions to be enabled on the SharePoint farm.
Can i ask, in the monitoring plan, have you defined the site collections you would like to process the collection of ‘Reads’?
You will need to ‘Edit’ the item in the plan, select ‘Read Access’, then on the right hand side are any site paths defined?
Nice to meet you! Welcome to the community as well. Thank you for taking the time to address this issue.
I know that I have used an older monitoring plan without specifying the SharePoint sites in the read access tab. Is it necessary to specify the sites if I just want to monitor everything?
The new monitoring plan is currently configured for “audit SharePoint read access” as follows:
“Sites only” is not selected.
“Sites and subsites” is selected.
No paths are specified. This is greyed out for some reason.
Hi Szymon, thanks a lot for your questions. So there are two parts to this discussion I’d like to comment on:
Currently, you need to specify the sites, yes. If that’s not how you can configure it, I encourage you to create a support ticket, and an engineer might be able to help you come up with a workaround.
You can audit SP Subscription edition read events, but the manual configuration in SharePoint there is not supported, so you have to ensure you have the “adjust audit settings automatically” checked.
I hope this helps and please let me know if you have more questions.
Thank you for taking the time to address this issue as well.
I think I said it wrong earlier. I want to track all the reads from all sites and subsites in the SharePoint farm. So with the suggested configuration, it only looks at the sites reads and not the subsites reads, right?
Select Sites only if you want to enable read access auditing on SharePoint sites only. Enable Sites and subsites to track read access on each subsite.
Then, do one of the following:
Click Add and provide URL to a SharePoint site.
Click Import, select encoding type, and browse for a file that contains a list of sites.
One thing to note: Read access auditing significantly increases the number of events generated on your SharePoint and the amount of data written to the AuditArchive.
This would also lead me to query the omit filters, has anyone added entries to the ‘omitreadaccesslist.txt’ file which could be a reason you are no longer receiving these events in the platform!
Navigate to the *%working folder%\Netwrix Auditor for SharePoint\Configuration\GUID* folder, where omit lists are located.
Edit the omitreadaccesslist.txt file and see if any entries were added.
