LT Auditor MP uses a modular, distributed architecture. At a high level, it consists of a central server that receives and processes data from a set of purpose-built modules, each responsible for collecting activity from a specific part of your environment.
Core components:
LT Auditor MP Server: The central hub of the platform. It receives incoming audit data, processes and normalizes it, stores it in the database, and serves the web-based dashboard and reporting interface. The server can be hosted on Windows or Linux.
PostgreSQL Database: The backend database that stores all collected audit events, configuration, and report data.
Web UI: A browser-based interface used by administrators to view dashboards, search events, configure the platform, manage alerts, and generate reports. Accessible via any modern browser (Chrome, Edge, or Firefox).
Modules: LT Auditor MP extends its collection capabilities through installable modules, each targeting a specific data source. Modules are installed separately on the relevant servers or systems and stream data back to the LT Auditor MP server.
Current modules include:
| Module | Purpose |
|---|---|
| EventLogCentral | Collects Windows Event Logs and NTFS file activity |
| PowerShell Orchestrator | Runs assessments against Active Directory and Entra ID |
| PII Scanner | Scans Windows and Linux systems for sensitive data |
| EntraConnector | Collects Azure sign-in logs and Entra ID audit events |
| NSS Module | Collects NSS file activity from OES servers |
Data flow (simplified):
- Modules collect activity data from monitored systems
- Data is forwarded to the LT Auditor MP server via syslog or agent-based streaming.
- The server normalizes and stores the data in the database.
- Administrators view, alert on, and report from the data via the Web UI.
**[add a network or architecture diagram here]**