LT Auditor-MP uses a modular, distributed architecture. At a high level, it consists of a central server that receives and processes data from a set of purpose-built modules, each responsible for collecting activity from a specific part of your environment.
Core components:
LT Auditor-MP Server The central hub of the platform. It receives incoming audit data, processes and normalizes it, stores it in the database, and serves the web-based dashboard and reporting interface. The server can be hosted on Windows or Linux.
PostgreSQL Database The backend database that stores all collected audit events, configuration, and report data.
Web UI A browser-based interface used by administrators to view dashboards, search events, configure the platform, manage alerts, and generate reports. Accessible via any modern browser (Chrome, Edge, or Firefox).
Modules LT Auditor-MP extends its collection capabilities through installable modules, each targeting a specific data source. Modules are installed separately on the relevant servers or systems and stream data back to the LT Auditor-MP server. Current modules include:
| Module | Purpose |
|---|---|
| EventLogCentral | Collects Windows Event Logs and NTFS file activity |
| PowerShell Orchestrator | Runs assessments against Active Directory and Entra ID |
| PII Scanner | Scans Windows and Linux systems for sensitive data |
| EntraConnector | Collects Azure sign-in logs and Entra ID audit events |
| NSS Module | Collects NSS file activity from OES servers |
Data flow (simplified):
- Modules collect activity data from monitored systems
- Data is forwarded to the LT Auditor-MP server via syslog or agent-based streaming
- The server normalizes and stores the data in the database
- Administrators view, alert on, and report from the data via the Web UI
**[add a network or architecture diagram here]**
