Jump to content


Photo

Omit file auditing based on processes

File Server

  • Please log in to reply
3 replies to this topic

#1 alfa21

alfa21

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 04 July 2017 - 07:52 PM

Hi,

 

We have recently purchased Netwrix for our purposes, and we are slowly configuring it. I receive daily reports for file server activity, and I noticed a lot of auditing for file access from specific processes, as given below

 

domain.com\servername$
 
Process: "C:\Windows\System32\fsdmhost.exe"
 
Process: "C:\Windows\System32\svchost.exe"
 
Is there a way to exclude these processes, in order to have auditing as real as possible.
 
Thank you


#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 375 posts
  • Gender:Male

Posted 05 July 2017 - 01:57 PM

Hello,

 

You should be able to just use the omitstoreprocesslist.txt  in C:\Program Files (x86)\Netwrix Auditor\File Server Auditing

 

Syntax: Monitoring plan name,resource path,executable path

Example:   Production Servers,\\\\productionserver1.corp.local\\builds\\releases\\*,*wordpad.exe

 

*,*,*fsdmhost.exe

 

*,*,*svchost.exe

 

-Jeff



#3 alfa21

alfa21

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 05 July 2017 - 09:13 PM

Hello,

 

Thank you for  the reply.

 

Now it is clear to me for the processes, but how to exclude users like: domain\servername$, or any other user which may run backup or any other process.

 

Thank you



#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 375 posts
  • Gender:Male

Posted 07 July 2017 - 01:00 PM

This can be done with the omitstorelist.txt option.

 

Syntax: Monitoring plan name,Change Type,who changed,resource type,resource path,property name

 

Example: *,,CORP\\jsmith,*,*,

 

As seen in section 10.2.5. Exclude Data from File Servers Auditing Scope starting on page 127 of the Netwrix Auditor Administration Guide  https://www.netwrix....rator_Guide.pdf

 

-Jeff






0 user(s) are reading this topic

0 members, guests, anonymous users