Managing Audit Stores
An audit store is a collection of databases that contain audit data. All attached databases in the audit store are available to the audit management database. Typically each site has one audit store, but you can add audit stores as required for large or multi-site installations. For details, see Adding more audit stores to an installation.
Configuring Audit Store Scope
The scope of an audit store defines which audited computers send their audit data to the audit store, and which collectors are assigned to the audit store. The scope is a set of Active Directory sites and/or subnets. To configure the scope for an audit store, open its Properties page and select the Scope tab. To add a site, click Add Site and select the site from the list. To add a subnet, click Add Subnet and type a subnet address and mask.
Configuring Permissions for an Audit Store
To configure audit store security, open the audit store’s Properties page and select the Security tab.
Only users with Change Permission on the audit store are allowed to modify the user rights on the Security tab of the audit store’s Properties page.
The following table lists the rights that can be granted to active Directory users or groups, and the operations that the users granted such rights (“trustees”) are allowed to perform.
The audit store administrator by definition has all of these user rights (Full Control).
| User Right | Allowed Operations |
|---|---|
| Full Control | All of the operations listed in the following rows of this table |
| Change Permissions | Modify permissions on this audit store |
| Modify Name | Modify display name for this audit store |
| Manage Scopes | Add a subnet or active Directory site Remove a subnet or active Directory site |
| Manage SQL Logins | Set the allowed incoming accounts for this audit store’s databases Set the allowed incoming accounts for collectors |
| Manage collectors | Enable collector trusted group for this audit store Add collector to the trusted collector group in this audit store Remove collector from the trusted collector group in this audit store Remove disconnected collector record from this audit store |
| Manage Audited Systems | Enable audited computers trusted group for this audit store Add audited computer to the trusted audited computer group in this audit store Remove audited computer from the trusted audited computer list in this audit store Remove disconnected audited computer record from this audit store |
| Manage Databases | Add audit store database to this audit store Attach audit store database to this audit store Detach an audit store database from this audit store Change active database in this audit store Modify the display name of a version 2 audit store database |
| Manage Database Trace | Enable or disable database trace Export database trace |
Adding More Audit Stores to an Installation
The audit store typically maps one-to-one with an Active Directory site. However, in some situations it is desirable to define the scope of an audit store differently:
- A subnet that Active Directory considers part of a site may be connected over a slow link. In this situation, you probably want to configure another audit store and collectors that service audited computers in the remote subnet.
- A very large site may require multiple audit stores for load distribution. You can accomplish this by partitioning an Active Directory site into multiple audit stores based on subnets. Each subnet has its own audit store and set of collectors and audited computers.
Two common audit store actions are:
- Adding a new audit store in a new site, and using the Select Scope page in the Add Audit Store Wizard to configure the site settings.
- Splitting an audit store in two, using the audit store’s Property page to adjust the scope of the existing audit store, and then adding a new audit store.
To configure the audit store to support a particular subnet, click the Subnet radio button, and fill in the subnet IP address and mask.
