The Cache tab page contains the settings for controlling the Local Cache of audit records and tools for viewing the collected audit records.
When Audit Server performs the scheduled collection of audit data records from the machines indicated on the
Audit List, it collects the individual audit records into data files saved in the folder specified here (known
as the Local Cache). Data files remain in the Local Cache for the length of time specified in the Cache Retention section.
The Local Cache is primarily intended as temporary storage for audit records which are eventually to be transferred to permanent offline archival.
The local copies of the audit records can be retained indefinitely, or automatically deleted after a set period.
This section allows you to specify the disk folder where you wish the Local Cache to be stored.
The cache location can be any valid file folder to which the Audit Server service account has sufficient rights to read and write files.
If you must, you may indicate any valid UNC path to store the Local Cache files on a remote machine, however, be aware that should the
remote machine become unavailable for any reason, audit data collected during that period will be irretrievably lost.
Best practice requires that the Local Cache folder must be as secure as possible, and we strongly recommended that the
folder be located on a local drive using the NTFS filesystem to accomplish this.
Folder permissions should be set so that only the Audit Server service account (usually System) has Full Control. Administrators should
be set to Read-Only, and everyone else should be denied access entirely. You may also wish use the Windows operating system level
auditing to monitor the Local Cache folder for unauthorized changes.
Audit Server includes a program called DTREADER.EXE. DTReader is automatically associated with files having the extension .dtad (DT Audit Data)
during the installation of Audit Server. DTReader is used to view Audit Server data files whether from the Local Cache or retrieved from
any other storage location. You may copy the program to any machine from which you'd like to view audit records.
Note: DTREADER.EXE does not function on Windows Server Core systems. To view sync logs collected by Audit Server on Server Core systems,
you must copy the DTREADER.EXE utility from the /System32 folder to a non-Core system and use it from there to view the .dtad audit records through a network share on the Core machine.
When you click the View Audits button, the control panel applet launches DTReader to let you select and view files from your local
Audit record details using the View Audits function