NetWrix SQL Server Change Reporter

NetWrix SQL Server Change Reporter Version 2.2 Administrator Guide

Contents NetWrix SQL Server Change Reporter Administrator Guide 1. INTRODUCTION... 3 1.1 KEY FEATURES... 3 1.2 LICENSING... 4 1.3 HOW IT WORKS... 5 2. GETTING STARTED... 7 2.1 SYSTEM REQUIREMENTS... 7 2.2 CONFIGURING SQL SERVER TRACING... 8 2.3 INSTALLATION... 9 3. WORKING WITH STANDARD OR FREEWARE EDITIONS... 10 3.1 CONFIGURATION... 10 3.2 DATA COLLECTION AND REPORTING... 12 3.2.1 Running a Data Collection Task... 12 3.2.2 Running an On-Demand Report... 13 3.3 CONFIGURING AND USING ADVANCED REPORTING... 14 4. WORKING WITH ENTERPRISE EDITION... 17 4.1 GETTING STARTED... 18 4.1.1 Step 1: Specify Object Type... 18 4.1.2 Step 2: Supply Default Data Processing Account... 19 4.1.3 Step 3: Specify SMTP Settings... 20 4.1.4 Step 4: Specify Computer Collection Name... 21 4.1.5 Step 5: Enable Features... 22 4.1.6 Step 6: Configure Database Settings... 23 4.1.7 Step 7: Add SQL Servers... 24 4.1.8 Step 8: Configure Feature Settings... 26 4.1.9 Step 9: Review the Settings... 27 4.2 MODIFYING COMPUTER COLLECTION SETTINGS... 28 4.3 GLOBAL SETTINGS... 30 4.3.1 Modifying Task Schedule... 30 4.3.2 Configuring E-mail Settings... 31 4.3.3 Configuring Repository Settings... 32 4.3.4 Configuring Advanced Reporting Settings... 32 4.4 DATA COLLECTION AND REPORTING... 33 4.4.1 Running a Data Collection Task... 33 4.4.2 Viewing Task Session Results... 34 4.4.3 Viewing Scheduled Reports... 35 4.4.4 Running an On-Demand Report... 36 4.5 USING ADVANCED REPORTING... 37 4.5.1 Initial Configuration of Default Advanced Reporting Settings... 37 4.5.2 Using Advanced Reporting Configuration Wizard... 39 4.5.3 Modifying Advanced Reporting Settings... 43 5. ADDITIONAL CONFIGURATION... 45 5.1 EDITING SCHEDULED TASK DIRECTLY... 45 5.2 INCLUDING AND EXCLUDING DATA TYPES TO COLLECT AND REPORT ON... 46 5.3 GROUPING MANAGED OBJECTS IN FOLDERS (ONLY AVAILABLE IN THE ENTERPRISE EDITION)... 46 5.4 IMPORTING CHANGES THAT OCCURRED BETWEEN TWO SNAPSHOTS... 47 6. ABOUT NETWRIX PRODUCTS... 48 7. DISCLAIMER... 49

1. Introduction SQL Server is a complex system that involves many different types of objects and requires almost daily changes to server configurations, security, databases, etc. It's very hard to keep track of changes and enforce fine-grained delegation rules for environments managed by multiple DBAs and operators. A hot topic today is compliance with government and industry regulations which adds challenges to all types of IT infrastructures, especially SQL databases that store business-critical data and that support business applications. The SQL Server Change Reporter is an easy-to-use auditing solution that reports changes made to your SQL Server's configurations, databases and security. The product reports on changes made to server instances, databases, users, roles, logins, schema changes and many other objects. If your situation requires monitoring of some non-default events, custom monitoring templates are available and may be ordered from NetWrix (*). The tool centrally monitors multiple servers and sends daily summary reports about any changes detected through the last day. New or changed databases, database users, roles, tables, views, indices and others - no change will pass behind the scenes, no matter who made it and how. It is especially easy to track with the Who (*) and When (*) reporting capabilities. You just setup this tool once and start getting daily summary reports about all changes grouped by server name. Advanced Reporting is also a feature with optional custom reports available for ordering from NetWrix (*). The SQL Server Change Reporter comes in three Editions: Freeware, Standard and Enterprise. The SQL Server Change Reporter can be used to: Monitor and review administrative changes on SQL servers and at database levels. Help you ensure compliance with regulatory and security requirements such as GLBA, SOX, HIPAA, and PCI through consistent auditing and reporting. Detect early all unauthorized and unwanted changes that can lead to server and database downtime. 1.1 Key Features The SQL Server Change Reporter helps you to carry out the following auditing and reporting tasks: Detect and report on changes made to server instances, databases, users, roles, logins, schema, credentials, tables, table views, table columns, stored procedures, functions, table column views, table indexes views, table column index views and other objects Audits database backup and restore operations (*) Reports include information about what changes were made, who (*) made changes and when (*) they were made Provides on-demand Web-based reporting (*) Create custom reports (can also be ordered from NetWrix) (*) Provides storage for collected audit data and enables historical reporting for any period of time (*) * Features marked with (*) are only available in the Standard and Enterprise Editions of the product. 3

1.2 Licensing The SQL Server Change Reporter is available in three editions: Freeware Edition, Standard Edition and Enterprise Edition. The table below outlines the differences between them. Feature Freeware Standard Edition Enterprise Edition Who and When fields for every change No Yes Yes Track database changes Changes made to database users, logins, credentials, roles and schemas only. Changes made to server instances, databases, users, roles, logins, schema changes, tables, table views, table columns, stored procedures, functions, table column views, table index views, table column index views and other objects Changes made to server instances, databases, users, roles, logins, schema changes, tables, table views, table columns, stored procedures, functions, table column views, table index views, table column index views and other objects Track database operations No Backup and restore Backup and restore Advanced reports based on SQL Server Reporting Services, with filtering, grouping and sorting No Yes Yes Handle multiple server collections each with its own individual settings No No Yes Predefined reports Daily report with recent changes Multiple predefined reports Multiple predefined reports Custom reports No Yes. Create manually or order from NetWrix Yes. Create manually or order from NetWrix Long-term archiving and reporting No Any period of time Any period of time Technical support Support forum Phone, e-mail Phone, e-mail Licensing Free of charge Per server; please request a quote Per server; please request a quote Integrated interface for all NetWrix products which provides centralized configuration and settings management Advanced Reporting integrated with the NetWrix Enterprise Management Console No No Yes No No Yes Advanced Reports can be viewed directly from the NetWrix Enterprise Management Console No No Yes The Free Edition can be used by companies and individuals for an unlimited time, at no charge. The Standard/Enterprise Edition can be evaluated free of charge for 20 days. 4

1.3 How It Works Figure 1: Product architecture and data flow 5

NetWrix SQL Server Change Reporter collection and reporting workflow is usually flows as follows: 1. SQL Server changes are periodically collected and stored as snapshot files. Reports displaying changes to SQL servers are generated on schedule and then sent to the specified e-mail recipient(s). Optionally, Advanced Reports can be viewed with SQL SRS Report Manager. For more details on Advanced Reporting, please see section 3.4. Using Advanced Reporting (Standard Edition) for Standard Edition and section 4.5. Using Advanced Reporting (Enterprise Edition) for Enterprise Edition. 2. A user launches the Configurator and sets the parameters for automated data collection and reporting. 3. The NetWrix Management Console - SQL Server Change Reporter - <your managed object name> (where <your managed object name> is the name of your managed object) scheduled task is launched periodically (typically, every night, at 3 AM by default; it can also be launched manually when needed). This task collects configuration snapshots and e-mails reports on databases and configuration changes to the specified recipients. 4. If SQL SRS-based reporting is configured, the task also stores information about SQL Server changes to the specified SQL server database (if the automatic data import fails, you can use the Database Importer to import data when necessary). 5. A user launches the mail client to view the reports sent by e-mail. 6. If Advanced Reporting is configured, the user launches a web browser and views the reports in Report Manager (*). * Features marked with (*) are only available in the Standard and Enterprise Editions of the product. 6

2. Getting Started This section describes the necessary prerequisites for the SQL Server Change Reporter installation. 2.1 System Requirements SQL SERVER: Supported SQL Server configurations: MS SQL Server 2000, all Editions MS SQL Server 2005, all Editions MS SQL Server 2008, all Editions Optionally you will need SQL Server 2005 Express Edition with Advanced Services to create and view the advanced Web-based reports. You can get a free copy from Microsoft Download Center COMPUTER WHERE THE SQL SERVER CHANGE REPORTER WILL BE INSTALLED: OS requirement: Windows 2000 or higher Necessary additional software: Microsoft.Net Framework 2.0 or later Microsoft Windows Installer 3.1 or later For Enterprise Edition, Microsoft Management Console 3.0 is required Additional requirements: Disk space enough for a temporary data storage (SQL server configuration snapshots and/or audit data will be stored there). We recommend at least 20 Gb of free disk space. An approximate formula is 50 bytes per every configuration object for each server. SQL Server 2005 or 2008 with Reporting Services (SSRS) is required for advanced reporting (*). SQL Server Express Edition with Advanced Services is supported; it can be installed and configured automatically. The following article explains how to configure SQL Server 2005 Express Edition to allow remote connections: http://support.microsoft.com/default.aspx?scid=kb;en-us;914277 (*) Feature is available in the Standard and Enterprise Editions only. Important: Before you install the SQL Server Change Reporter on a computer running Windows Server 2008, please turn off User Account Control (UAC). Otherwise, the product installation will fail. Required rights and permissions The account which the SQL Server Change Reporter scheduled task will use for data processing and report generation requires the following: 1) Grant Alter trace on the server. To do this using SQL Server Management Studio (SSMS), go to: SSMS - Under Security tab --> Logins --> right click the name and select properties --> Securables tab --> Click add --> Select the instance you want to add the permissions to. The permissions appear in the Effective 7

Permissions list. 2) Grant Connect SQL on the server. To do this using SQL Server Management Studio (SSMS), go to: SSMS --> right-click a database --> Properties --> Permissions and check Connect. 3) Grant Connect on all databases. To do this, follow the same instructions in Step 2. 4) Grant Select on all databases. To do this, follow the same instructions in Step 2. For Advanced Reporting (*) to work properly: The account used by the users to configure the Report Server, as well as the SQL Server Change Reporter scheduled task account, must be assigned the Content Manager role for the SSRS Home folder. To assign that role: 1. Run SSRS Report Manager (can be accessed from the Report Viewer by clicking Web-based reports (SQL SRS) link or directly by pasting the Report Manager URL from the Advanced Reporting configuration window, evoked from the SQL Server Change Reporter main window, into your web browser address string), open the Properties tab of the Home folder, and click New Role Assignment. 2. Specify the necessary group or user account in this format: domain\user (The account should be in the same domain or in a trusted domain). 3. Select Content Manager. 4. Click OK to save the role assignments. The account used by the users to view the reports, as well as the SQL Server Change Reporter scheduled task account, must be assigned the Browser role for the SSRS Home folder. To assign that role: 1. Run SSRS Report Manager (can be accessed from the Report Viewer by clicking Web-based reports (SQL SRS) link or directly by pasting the Report Manager URL from the Advanced Reporting configuration window, evoked from the SQL Server Change Reporter main window, into your web browser address string), open the Properties tab of the Home folder, and click New Role Assignment. 2. Specify the necessary group or user account in this format: domain\user (The account should be in the same domain or in a trusted domain). 3. Select Browser. 4. Click OK to save the role assignments. (*) The requirement applies to the commercial version only. 2.2 Configuring SQL Server Tracing Although some system tracing (auditing) configuration is necessary, the SQL Server Change Reporter will automatically setup all the required auditing properties on your SQL servers during the first program launch. But you can also set it up manually. To do this, on the monitored SQL servers, launch the script file 'sqlcr_db.sql', which is located in the product installation folder 8

2.3 Installation To install the SQL Server Change Reporter, run the setup program on any computer in the domain where the managed SQL servers are located. Important: If a target computer is running Windows Server 2008, make sure User Account Control (UAC) is turned off. Follow the steps of the wizard. When prompted, accept the license agreement, then specify the installation folder and click Next to proceed with the installation. On the last step of the installation wizard, the following dialog box appears: Figure 2: The SQL Server Change Reporter Setup configuration utility selection dialog box To launch the Standard or the Enterprise Edition after the installation, select the corresponding option. Alternatively, you may choose to Configure later or use existing configuration if you do not want to deal with it now or if you have already had the product installed once. Click Finish to complete the setup. To learn more on using different editions, please refer to the corresponding sections of this guide. 9

3. Working with Standard or Freeware Editions Standard and Freeware Editions allow you to use the basic configuration utility it is recommended to novice users. However, several features are unavailable for the product with a Freeware license they are marked with a (*) in the configuration description below. The Standard Edition is limited to managing a single computer collection only. If you need to monitor more than one computer collection, you have to use the Enterprise Edition (requires Enterprise license). 3.1 Configuration Launch the configuration utility from the Start menu by selecting All Programs NetWrix SQL Server Change Reporter Commercial Version Configurator (Basic Mode). The Configuration utility main window is displayed as follows: Figure 3: The SQL Server Change Reporter Freeware and Standard Editions configuration utility window 10

The following configuration settings are available in this window: 1. The Enable SQL Server Change Reporter check box enables data collection and reporting; this is selected by default. 2. The List of SQL servers to check for changes includes SQL servers you want to monitor. Use Add, Remove or Import (*) to modify the list. 3. Use the Import (*) button to import a.txt file containing a list of the SQL servers, one entry per line. 4. Specify the data storage path in the Store data to: text box. All the snapshots made by NetWrix products you are using will be stored in the corresponding subfolders of that folder. In particular, snapshots made by the SQL Server Change Reporter will be stored in the SQL Changes subfolder of the folder you specify here. 5. To enable advanced reporting based on SQL Server Reporting Services (SSRS), click Configure. For more details, see the 3.4 Using Advanced Reporting section further in this document. (*) 6. Click Change to change the report delivery schedule. By default, audit data is collected and delivered at 3.00 AM every day. 7. Under Email report delivery settings, enter the following: a) E-mail address to which the reports on SQL servers changes will be delivered (multiple addresses should be separated commas). b) Supply the SMTP server settings (the name and the port). c) Supply the From address. 8. Click Verify to test the e-mail settings you specified. 9. To launch the full-featured management console with integrated reporting and support for multiple computer collections, click Start. (**) 10. To finish with the configuration settings, click Apply. You will be prompted for the credentials to run the data collection and the report generation. Figure 4: Scheduled Task Credentials dialog box Specify the account under which the scheduled task (named NetWrix Management Console - SQL Server Change Reporter - <your managed object name>, where <your managed object name> is the name of the computer collection containing your SQL servers you have specified) will collect your SQL Servers changes data and e-mail the reports to the specified recipients. (*) Features marked are not available in the Freeware Edition of the product. (**) Only available in the Enterprise Edition of the product. If necessary, you can change the configuration settings later by invoking the configuration utility from the Start menu. 11

3.2 Data Collection and Reporting This section describes how you can perform the data collection and reporting using the SQL Server Change Reporter Freeware and Standard Editions. 3.2.1 Running a Data Collection Task When needed, you can manually launch the task named NetWrix Management Console - SQL Server Change Reporter - <your managed object name>, where <your managed object name> is the name of the computer collection containing your SQL servers you have specified, using Task Scheduler (by default, this task is launched automatically at 3.00 AM every day). Also, you can use Task Scheduler to modify the task properties (ex. schedule, account, etc.) When you run the task, it collects SQL Server snapshots together with audit data and e-mails reports on any SQL server changes to the corresponding recipients. It also sends the data to a SQL Server if configured. At the first run of the scheduled task, the message notifies you that the initial analysis is completed. Next, you can make some changes to your SQL Server to see an example of how they will be reported. After that, you can launch the scheduled task again and then check the mailbox for the new report. The changes will be reported in the format shown below. Figure 5: The SQL Server Change Reporter Summary Report email example If Advanced Reporting is configured (as described in section 3.4. Using Advanced Reporting (Standard Edition)), you can click the More reports link from this email report to view the HTML versions of the reports in your web browser. 12

3.2.2 Running an On-Demand Report To get an on-demand report on changes to the SQL servers, you can use the Report Viewer. This tool allows you to generate a report on changes that occurred between 2 snapshots of your choice. Note: The scheduled task should execute at least 2 times before the reports become available. To view the changes that occurred between the particular snapshots: 1. Launch the Report Viewer from the Start menu. Figure 6: The SQL Server Change Reporter Viewer main window 2. Select an SQL Server and snapshots (by date). Click the Generate button to generate and save a report on changes between them (in HTML format). 3. In the Save as dialog box, specify the location where the HTML report will be saved. By default, it is saved to the SQL Server Change Reporter.html file in the user s Documents folder. 4. The report will then be saved as an HTML file and will open in your default web browser to show you the changes that occurred between the selected snapshots. 13

3.3 Configuring and Using Advanced Reporting With SQL Server Reporting Services deployed, you can also configure Advanced Reporting (SSRS-based). In this case, you can use the advantages of SSRS-based reporting: Use the wide variety of reports to analyze the operation of your network environment; dozens of reports will help you to stay compliant with standards and regulations your organization is subject to (SOX, HIPAA, PCI, GLBA, SAS70 and others). Change the report filters to fine-tune the data view according to your needs. Use one of the popular formats: PDF, XLS, etc. to save the report. Apply grouping and sorting to report data. Figure 7: Advanced Report example 14

To start using Advanced Reporting with the Standard Edition, you can either click Configure when supplying the configuration settings during the product setup or invoke the configuration utility later on. In the configuration utility main window, click Configure. The Advanced Reporting Configuration Wizard will be launched. Follow the steps which are described below. 1. On the first step of the wizard, select whether you want to proceed with an automatic installation and configuration of SQL Server 2005 Express, or use the SQL Server instance that currently exists in your environment. Note: If using an existing SQL Server, make sure that the Reporting Services feature is installed and configured for that server. 2. If you selected to install and configure SQL Express, in the next step, wait for the automatic installation and configuration process to complete. 3. If you selected to configure an existing SQL Server deployment for reporting, configure the SQL Server database connection settings. Figure 8: Advanced Reporter Configuration Wizard window Note: The database on the specified server will be created automatically with the name NetWrix_SQL_Server_Change_Reporter. By default, it will be accessed using Windows authentication with the scheduled task account. To use SQL server authentication, clear the Windows Authentication check box and enter the credentials for the database access. 4. Enter and verify the URLs for Reporting Services: Report Server URL and Report Manager URL. The URLs must be in the following format: http://<server_name>/<foldername>, where <server_name> is the name of your SQL server and <folder_name> is the name of the folder where the corresponding databases are stored on your SQL Server. You can find the correct folder names in the SQL Reporting Services Configuration Manager. To do this, first launch the SQL Reporting Services Configuration Manager (for MS SQL Express 2005 it will be Start -> All Programs -> Microsoft SQL Server 2005 -> Configuration Tools -> Reporting Services Configuration) where you can find the folder names under Report Server Virtual Directory and Report Manager Virtual Directory menu categories. The default values for these folder 15

names are ReportServer$SQLExpress and Reports$SQLExpress respectively. 5. After you click Next, the configuration settings are saved. 6. Finally, review the settings and click Finish. To test your Advanced Reporting configuration, try to make some sample changes (create a new login or a database) and Run the scheduled task (see above). Then use Report Manager to view the reports under Home > NetWrix SQL Server Change Reporter folder. Note: Make sure the account under which you plan to view the reports has sufficient rights (Browser) for the Home folder. Refer to section 2.1. System Requirements for detailed instructions on how to setup the permissions. Figure 9: Advanced Report example To change the Advanced Reporting settings, in the configuration utility main window, click Configure to launch the Advanced Reporting Configuration Wizard and modify the values you need. 16

4. Working with Enterprise Edition NetWrix SQL Server Change Reporter Administrator Guide If you are using the Enterprise license, Full Featured configuration utility mode is available to you. It features the NetWrix Enterprise Management Console (implemented as an MMC snap-in) that provides flexible configuration and management capabilities. With the NetWrix Enterprise Management Console, you can: Enable and configure long-term archiving Enable and configure Advanced Reporting Define the management scope for the NetWrix product you are using (these can be domains or OUs for AD Change Reporter, SQL server instances for SQL Server Change Reporter, Exchange servers for Exchange Change Reporter, file servers for File Server Change Reporter, and so on) Enable management features for selected objects in bulk. For example, you can specify report generation frequency and recipients Handle numerous managed objects(server collections) with a single installation and having individual options for each collection Manage all NetWrix product configuration and settings via a truly integrated interface Access Advanced Reporting right from NetWrix Enterprise Management Console Start the Management Console by selecting NetWrix NetWrix SQL Server Change Reporter Commercial Version Configurator (Full Featured Mode) from the Start menu. Figure 10: NetWrix Enterprise Management Console 17

4.1 Getting Started When you start the NetWrix Enterprise Management Console for the first time, no managed objects exist. You have to create a new managed object and perform its initial configuration, as described below. 4.1.1 Step 1: Specify Object Type 1. In the NetWrix Management Console main window, navigate to the Managed Objects tree node, rightclick it and select New Managed Object. Alternatively, you can click Create New Managed Object in the Task pad on the right. 2. The New Managed Object wizard starts. On the Select Managed Object Type step, select Computer Collection to create a collection of computers to be configured for data gathering and reporting. Figure 11: New Managed Object Wizard Select Managed Object Type dialog box 18

4.1.2 Step 2: Supply Default Data Processing Account Next, you should select a user account that will be used by the SQL Server Change Reporter scheduled task as the default one for scheduled data processing and report generation. Figure 12: New Managed Object Wizard Data Processing Account setup dialog box Click Specify Account; when selecting the account, consider that it should be granted the necessary access rights (see the System Requirements section above). At the next console launches, you can specify different accounts for object processing (as described later in this document). Note: You will be presented with this step only in case if the Data Processing Account settings were not yet supplied via Settings -> Schedule NetWrix Management Console submenu. 19

4.1.3 Step 3: Specify SMTP Settings Next, specify the SMTP server settings that will be used to e-mail the reports. Supply the SMTP server name, port, and the From address. Figure 13: New Managed Object Wizard Configure SMTP Server Settings dialog box Note: You will be presented with this step only if the SMTP settings were not yet supplied via Settings -> E-mail Settings NetWrix Management Console submenu. 20

4.1.4 Step 4: Specify Computer Collection Name You then have to enter the name of the computer collection (managed object) you are creating: Figure 14: New Managed Object Wizard Computer Collection Name setup dialog box Enter the collection name, e.g., My Servers. If you want to use a specific account to process objects from this collection, enter the user name and password in this step. Alternatively, you can leave the Default account here (the one you supplied in Step 2 will be used). Important: Make sure the processing account is granted the necessary rights and permissions (see 2.1. System Requirements section above). 21

4.1.5 Step 5: Enable Features You then should specify what management features will be applied to the collection - what NetWrix products will be involved in processing data from these computers. Select the necessary items from the list of Installed Features (here the SQL Server Change Reporter is selected): Figure 15: New Managed Object Wizard Enable Features dialog box In this step, you can also download other features if you wish. For that, select an item from the Available Features list. You can read the product description and click Download Feature this will start your Internet browser and open the selected product page on the NetWrix web site. There you can download the product you have chosen. You can click Update to receive a new list of available features from the web site to decide on an installation later on. Note: Before starting any new NetWrix product installation, please close the NetWrix Enterprise Management Console. 22

4.1.6 Step 6: Configure Database Settings Next, you can specify the settings that will be used for Advanced Reporting: SQL Server where the product database resides (storing data for reporting purposes) The SQL Server Reporting Services Report Server and Report Manager URLs Note: For these settings to be applied, make sure the Enable Advanced Reporting (see 4.5.2) option is selected. Figure 16: New Managed Object Wizard Advanced Reporting SQL Settings dialog box Specify the following: SQL Server the one where the product database will be created and named in correspondence with the product that collects audit data. The database named NetWrix_SQL_Server_Change_Reporter will be created on the specified SQL Server after you click Next If you select to use Windows Authentication, the default data processing account (specified on Step 2) will be used to access the SQL Server database. To use SQL Server authentication, clear this checkbox and supply the user name and password for SQL Server access Supply SSRS Report Server and Report Manager URLs. Click Verify If you have not installed a SQL Server yet, the Wizard allows you to install and automatically configure the Express edition. To do this, click Run 23

4.1.7 Step 7: Add SQL Servers Next, populate the managed object (computer collection) with the computers (SQL Servers) whose audit data needs to be processed. Figure 17: Add Computer dialog box Click Add. Select SQL Server Instance. The dialog box will appear so you can enter the exact name of an object/ path to be added or just browse for it. Figure 18: New Managed Object Wizard the Add submenu 24

Figure 19: New Managed Object Wizard Add Items to Collection dialog box Enter an SQL Server name here or Browse your network for the computers you want to add. 25

4.1.8 Step 8: Configure Feature Settings Next, configure the settings for the feature/product that will process this managed object (computer collection). The SQL Server Change Reporter settings are described below: Figure 20: New Managed Object Wizard Configure the SQL Server Change Reporter Settings dialog box 1. Enable the reporting feature by selecting the corresponding checkbox. 2. Enter the e-mail addresses of reports recipients. The daily SQL Server change reports will be sent to these recipients. 26

4.1.9 Step 9: Review the Settings You can then review the settings you have configured for the new managed object and Finish the Wizard. When created, the new object (computer collection) is displayed in the NetWrix Enterprise Management Console under the Managed Objects node: Figure 21: NetWrix Management Console Managed Objects window Here on the General tab, you can: Click Managed Computers to view and edit the list of managed computers (included in the created collection, i.e., in managed object) Click Add/Remove Features to specify the products you want to use for processing data from these computers You can Run an event processing task that will be performed by the feature/product configured or Stop the task execution (in this case, no report will be available). 27

4.2 Modifying Computer Collection Settings This section describes how to change settings of an existing managed object (computer collection). 4.2.1 Edit Computers List To view or edit the list of computers included in the selected collection, select the required Managed Object from the tree on the left, click Managed Computers on the General tab of the Task pad or just switch to the Computers tab. You can then Add or Remove computers from the list. Figure 22: New Managed Object Wizard Computer Collection item list window 28

4.2.2 Re-configure Features Under the managed object (computer collection) you selected, click the feature/product that was assigned to process data from the computers included in the collection. Configuration settings for the feature will be displayed on the right: Figure 23: NetWrix Management Console the SQL Server Change Reporter Settings dialog box Make the changes you need (options are described in the Enable Feature section above). 29

4.3 Global Settings Important: These settings are global. They will be applied to all the enabled features that process data from all the managed objects. For separate configuration of each scheduled task, use the methods described in the Editing Scheduled Task Directly section below in this document. 4.3.1 Modifying Task Schedule To access the scheduling settings, please go to NetWrix Management Console Settings Schedule: Figure 24: NetWrix Management Console Settings Report Delivery Schedule window By default, data processing and report delivery is scheduled to run daily at 3:00 am. To enter a new schedule (for all product tasks) click Change. If you want the task to run from a specified account, modify the Default Processing Account by clicking the corresponding Change button. 30

4.3.2 Configuring E-mail Settings To enable the email reports delivery, an effective SMTP server parameter must be configured first. To access the SMTP settings window, please go to NetWrix Management Console Settings E-mail Settings: Figure 25: NetWrix Management Console Settings E-mail Settings window Click Configure to open the Configure SMTP Settings dialog box: Figure 26: Configure SMTP Settings dialog box 31

Fill in the fields with the effective settings for your network. If your SMTP server needs authentication, then check Use SMTP authentication and enter the username and password. Also, if your SMTP server requires an SSLencrypted connection, please check the corresponding option. 4.3.3 Configuring Repository Settings Data collected by the product is saved in the file-based storage for archiving purpose in accordance with the retention period you specify. To configure the repository settings, go to NetWrix Management Console Settings Repository: Figure 27: NetWrix Management Console Settings Repository Settings window Specify repository path (default is <%All users\application Data%>\NetWrix\Management Console\Data for all Windows versions below Vista. Starting with Vista, the default repository path is ProgramData\NetWrix\Management Console\Data). To change data retention settings, select Enable long-term archiving for and specify the required value (default is 24 months). You can also use the Session retention field to specify how long to keep data in the collection sessions (i.e., how long they will be available for review); default is 60 days. After this time period, all the data will still be stored and available. 4.3.4 Configuring Advanced Reporting Settings Long-term Repository is an SQL-powered feature that allows long-term reports archiving. For details on how to setup Advanced Reporting, please refer to section 4.5. Using Advanced Reporting (Enterprise Edition). 32

4.4 Data Collection and Reporting This section shows you how to perform data collection and reporting using NetWrix Enterprise Management Console. 4.4.1 Running a Data Collection Task To run the data collection, select a managed object (from which you want to collect and report the changes) from the tree in the NetWrix Management Console and click Run in the right pane on the General tab: Figure 28: NetWrix Management Console Running Data Collection Task window SQL Server snapshots will be collected and specified reports will be e-mailed to the selected recipients. Task session information can be examined using NetWrix Enterprise Management Console, as described below. 33

4.4.2 Viewing Task Session Results All task operation information is shown in the NetWrix Management Console. Expand the node of the feature (product) you need, for example, SQL Server Change Reporter, and select Sessions. Then select the data collection session you need to examine and review the information shown in the right pane: Figure 29: NetWrix Management Console Task Session Results window For each selected session, you can review the following information: Session status Success, Warning, Error, or Fatal Error (meaning that data collection failed to start due to incorrect account, remote computer powered off, or other reason specified in the Details below). Type the product that processed data during the selected session. SQL Server the list of servers included into the managed object (collection) processed during the session Details the detailed results of the audit data collection. To generate a report on data collected during the selected session, use the settings in the lower pane on the right: Server name - supply a SQL Server name whose data will be included in the report. Click Run to launch the report generation process and automatically show the results. To see the report generated earlier (i.e., history), click View report (if the report has no history, it will be first generated and then displayed). 34

4.4.3 Viewing Scheduled Reports When the scheduled task is first run, the message notifies you of the initial analysis being completed. Next, you can make some changes to your SQL server to see the way they will be reported. After that, you can launch the scheduled task again and check the mailbox for the new report. The changes should be reported as shown in the figure below. If so, consider the product installation and configuration complete. Figure 30: Scheduled Reports email example If Advanced Reporting is configured (as described in the Using Advanced Reporting section of this guide), you can click the More reports link from this email report to view HTML reports in your web browser. 35

4.4.4 Running an On-Demand Report To quickly attain a report on changes between certain days, go to NetWrix Management Console Managed Objects <computer_collection_name> Ad-hoc Reports node, select the report you need. On the General tab on the right, click Run. This will generate a report in HTML format and open it in the web browser. Note: To cancel the report generation process, click Stop. You can also specify: SQL server - supply a SQL Server name whose data will be included in the report Date range - by default, this filter is set for the previous date Figure 31: NetWrix Management Console Ad-Hoc Report filtering settings window 36

4.5 Using Advanced Reporting With SQL Server Reporting Services deployed, you can also configure Advanced Reporting (SSRS-based). In this case, you can use the advantages of SSRS-based reporting: Use a wide variety of reports to analyze the operation of your network environment; dozens of reports will help you to stay compliant with standards and regulations your organization is subject to (SOX, HIPAA, PCI, GLBA, SAS70, and others). Change the report filters to fine-tune the data view according to your needs. Use one of the following popular formats to save the report: PDF, XLS, etc. Apply grouping and sorting to report data. 4.5.1 Initial Configuration of Default Advanced Reporting Settings In the NetWrix Management Console, under the Settings node, select Reporting. Then click Configure on the right pane. The Advanced Reporting Configuration Wizard will be launched. Follow the steps described below. Figure 32: NetWrix Management Console Advanced Reporting Settings window To change your SQL server settings, click Configure. The following dialog window appears: 37

Specify the following: Figure 33: Configure Advanced Reporting dialog box SQL Server the one where the product database will be created and named in correspondence with the product that collects audit data. The database named NetWrix_SQL_Server_Change_Reporter will be created on the specified SQL Server after you click Next. If you select to use Windows Authentication, the default data processing account (see section 4.1.2. Step 2: Supply Default Data Processing Account) will be used to access the SQL Server database. To use SQL Server authentication, clear this checkbox and supply the user name and password for the SQL Server access. Supply SSRS Report Server and Report Manager URLs. Click Verify. The URLs must be in the following format: http://<server_name>/<foldername>, where <server_name> is the name of your SQL server and <folder_name> is the name of the folder where the corresponding databases are stored on your SQL Server. You can find the correct folder names in the SQL Reporting Services Configuration Manager. To do this, first launch the SQL Reporting Services Configuration Manager (for MS SQL Express 2005, go to Start - > All Programs -> Microsoft SQL Server 2005 -> Configuration Tools -> Reporting Services Configuration) where you can find the folder names under Report Server Virtual Directory and Report Manager Virtual Directory menu categories. The default values for these folder names are ReportServer$SQLExpress and Reports$SQLExpress respectively. If you have not installed an SQL Server yet, the Wizard allows you to install and automatically configure the Express edition. To do this, click Start. For details on using the Wizard, please refer to the section below. 38

4.5.2 Using Advanced Reporting Configuration Wizard The Advanced Reporting Configuration Wizard helps you configure Advanced Reporting settings that will be used as the default values. 1. On the first step of the wizard, select whether you want to proceed with automatic installation and configuration of SQL Server 2005 Express (recommended if you are installing Change Reporter), or use the SQL Server instance that currently exists in your environment. Figure 34: Advanced Reporting Configuration Wizard mode selection dialog box Note: If you are using an existing SQL Server, make sure that Reporting Services is installed and configured for that server. 2. If you selected to install and configure SQL Express, wait for the automatic installation and configuration process to complete. 3. If you selected to configure the existing SQL Server deployment for reporting, configure SQL Server database connection settings and URLs of Reporting Services, as shown below. Figure 35: Advanced Reporting Configuration Wizard mode SQL settings dialog box 39

Note: The database on the specified server will be selected automatically this will be the one you have specified (or created) when creating the Managed Object (see Creating a New Managed Object section above). By default, the database name is NetWrix_SQL_Server_Change_Reporter, but you can change it to anything you like. 4. After you click Next, the configuration settings will be saved. Click Close to review the settings. Figure 36: Advanced Reporting Configuration Wizard configuration progress dialog box 5. Finally, review the settings and click Finish. Figure 37: Advanced Reporting Configuration Wizard summary dialog box 6. Optionally: if you want a managed object to have different settings for Advanced Reporting, navigate to Managed Objects <object_name> SQL Server Change Reporter Advanced Reports node and click on the Settings tab. 40

Figure 38: NetWrix Management Console Advanced Reporting Settings configuration window Here you can either use the default settings or select the Customize option and enter specific reporting settings you need for the managed object or product you are working with (see the next section for details). Click Enable advanced reporting and specify the necessary values. Then click Apply. To test your advanced reporting configuration, try to make sample changes, Run the related data collection task (see above) and then navigate to the Advanced Reports node to start viewing reports. 41

Figure 39: Advanced Report example 42

4.5.3 Modifying Advanced Reporting Settings To change the default Advanced Reporting settings, select Settings Advanced Reporting, and open the Settings tab. Select the Enable advanced reporting option. Figure 40: NetWrix Management Console Advanced Reporting Settings configuration window If you want to override the common settings with individual settings for this object, select the Customize option and then specify the necessary field values: Enter SQL Server and product database names Important: If you have multiple NetWrix products deployed, consider that each of them must use a separate database. Databases can be located on the same SQL server. If you want to connect to the database using SQL Server authentication, supply access credentials (do not select Windows Authentication) Note: Alternatively, you can use Windows Authentication to connect to the database. If this option is selected, the account specified at Run As for the scheduled task will be used. Enter the SSRS Report Server and Report Manager URLs. Click Verify. 43

You can also click Run Wizard and follow the steps (e.g., to install SQL Server Express) refer to Initial Configuration of Default Reporting Settings section above for details. To upload the set of predefined report templates to the Report Server in the Web-based Reporting section, click Upload. To launch the web browser and open the reports in the Report Viewer, click Navigate. To save the updated configuration, click Apply. 4.5.4 Viewing Advanced Reports Using a Web Browser To view the Advanced Reports, please open your web browser and type in the address string for your Advanced Reports website (for details see 3.4.1 Configuring Advanced Reporting Settings). On the Report Manager web page, navigate to Home > NetWrix SQL Server Change Reporter and select the type of changes you want to see the reports on. Below is an example of an Advanced Report: Figure 41: Advanced Report example 44

5. Additional Configuration This section describes additional configuration options. Please note that some of them are not available in the Freeware Edition. 5.1 Editing Scheduled Task Directly The SQL Server Change Reporter uses a standard Windows scheduled task called NetWrix Management Console - SQL Server Change Reporter - <your managed object name>, (<your managed object name> is the name of the computer collection containing the SQL servers you have specified) to schedule its operation. You can modify the task schedule by clicking the Change button in the configuration utility main window (Basic Mode only): Figure 42: Task Scheduling dialog box Alternatively, you can edit the schedule and other parameters of this task directly in its properties. Important: Use these steps to modify the scheduled task for the particular product. The settings available in NetWrix Management Console Settings Schedule are global; they will affect all NetWrix products you are configuring. For separate configuration of each scheduled task, use the methods described in this section. 45

5.2 Including and Excluding Data Types to Collect and Report On It is possible to fine-tune data collection and reporting by changing the following configuration files located in the product installation folder: To filter out the attributes and classes you do not want in your reports, add their names to the following files: omitproplist.txt (for attributes) and omitobjlist.txt (for object classes). However, these values will still be saved to the repository. To change attribute display names in the report, you can modify these names in the propnames.txt file. To prevent certain properties from being saved to the data storage, add their names to the omitstorelist.txt file. To exclude certain SQL objects from auditing, add their resource paths to the omitpathlist.txt file. 5.3 Grouping Managed Objects in Folders (only available in the Enterprise Edition) It is possible to logically group existing managed objects into custom folders. Placing objects into folders does not change anything in terms of configuration options. To create a folder, right-click on the Managed Objects node of the NetWrix Management Console and select New Folder. Figure 43: Creating a new folder Newly created managed objects can then be placed in the folders to help you navigate the list. 46

5.4 Importing Changes That Occurred Between Two Snapshots Database Importer lets you import the SQL server changes that occurred between two snapshots to an SQL server database for advanced analysis through Microsoft SQL Server Reporting Services. You can launch Database Importer from the Start menu. (This method is supported for a single computer collection only. If you need to process multiple collections, use Full Featured Mode.) Note: The scheduled task should execute at least 2 times for snapshots to become available. Figure 44: The SQL Server Change Reporter Database Importer main window Specify an SQL server whose changes will be imported; select the snapshots you need. Click Configure to specify where to import the data; to start the process, click Import. In most cases, the use of Database Importer is not required because the data is imported according to the schedule and automatically stored in the specified database if the corresponding option is selected. However, you may need to manually import the data when, for example, the database fails or any other error occurs. 47

6. About NetWrix Products Solutions developed by NetWrix Corporation help organizations to meet compliance standards, simplify identity management, and reduce IT infrastructure costs. The product line includes solutions for change management, identity management, virtualization, and Active Directory troubleshooting. Enterprise Management Suite: NetWrix Enterprise Management Suite is a rich collection of all NetWrix products combined together into one integrated solution. The suite is well-maintained, regularly updated with new versions and completely new products that all customers are entitled to as long as their maintenance is up to date. Change Reporter Suite: The Change Reporter Suite is an integrated solution for automated tracking and reporting of all critical changes in the entire IT infrastructure, including Active Directory, file servers, Microsoft Exchange, filer appliances such as NetApp or EMC, virtual infrastructure, physical infrastructure and SQL Server databases. Everything is centrally audited, consolidated, and presented in easy to understand reports with before and after values of all who, what, when and where modifications. Identity Management Suite: The NetWrix Identity Management Suite brings convenience, enhanced security, and sensible benefits to everyone within an organization. The solution resolves account lockouts, forgotten passwords and password expiration problems, while also providing user account de-provisioning and privileged password management. Active Directory Change Reporter: Full-featured Active Directory auditing and compliance solution with full coverage of AD, Group Policy, Exchange, and object-level rollback capabilities. Tracks who changed what, when, and where in Active Directory and related systems. USB Blocker: USB Blocker enforces centralized access control to prevent unauthorized use of removable media that connects to computer USB ports memory sticks, removable hard disks, ipods, and more. File Server Change Reporter: File server and filer appliance auditing solution. Supports Windows servers, NetApp Filers and EMC appliances. SQL Server Change Reporter: Auditing and reporting solution to monitor changes to SQL servers, instances, database schema, logins and roles, etc. Privileged Account Manager: Shared access to privileged accounts with automatic password maintenance. Non-owner Mailbox Access Reporter: Track users who access other user s mailboxes and report unauthorized access to mailboxes of C and VP-level accounts. Password Manager: product gives end users the ability to securely manage their passwords and resolve account lockout incidents in a self-service fashion without involvement of help desk personnel. Account Lockout Examiner: detects, diagnoses, and resolves account lockouts in real time to reduce administrative costs associated with manual resolution of account lockouts. Full list of products: http://www.netwrix.com/products.html For more information, please visit www.netwrix.com or call our toll-free number: +1-888-638-9749. 48