How audited sessions are collected and stored
The agent on each audited computer captures user activity and forwards it to a collector on a Windows computer. If the agent cannot connect to a collector—for example, because all of the computers hosting the collector service for the agent are shut down for maintenance—the agent spools the session data locally and transfers it to a collector later.
The collector sends the data to an audit store server, where the audit data is stored in the Microsoft SQL Server database that you have designated as the active audit store database. As you accumulate data, you can add more SQL Server databases to the audit store to hold historical information or to change the database designated as the active audit store database.
After the audit data is transferred to the audit store database, you can use the Audit Analyzer console to request session data. The audit management database, which stores information about all of the components that make up the auditing infrastructure, retrieves the session data from the appropriate audit store database.