Go Up
You are here: AdministrationAdditional configurationExclude objects from monitoring scope with omit listsExchange Monitoring Scope

Exclude Data from Exchange Monitoring Scope

You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Exchange monitoring scope. In addition, you can exclude data from non-owner access auditing.

To exclude data from Exchange monitoring scope

  1. Navigate to the %Netwrix Auditor installation folder%\Active Directory Auditing folder.
  2. Edit the *.txt files, based on the following guidelines:

    • Each entry must be a separate line.
    • A wildcard (*) is supported. For example, you can use * for a class name to specify an attribute for all classes.
    • Lines that start with the # sign are treated as comments and are ignored.
File Description Syntax

aal_omitlist.txt

For Exchange 2010 and above, the file contains a list of changes performed by cmdlets. To exclude a change from reports, specify name of a cmdlet and the attribute that is changed by the selected cmdlet.

cmdlet.attrname

For example:

Set-User

Set-ContactSet-Group

#Update-AddressList

Add-ADPermissionRemove-ADPermission

#RBAC:

*-MailboxAuditLogSearch

*-AdminAuditLogSearch

aal_propnames.txt

For Exchange 2010 and above, the file contains a list of human-readable names of changed attributes to be displayed in change reports. To exclude a change from the reports, specify name of a cmdlet and the attribute that is changed by the selected cmdlet.

classname.attrname=
intelligiblename

For example:

*-OutlookAnywhere.SSLOffloading = Allow secure channel (SSL) offloading

omitobjlist_ecr.txt

Contains a list of human-readable names of object classes to be excluded from change reports.

Classname

For example:

exchangeAdminService

msExchMessageDeliveryConfig

Exchange_DSAccessDC

omitpathlist_ecr.txt

Contains a list of AD paths to be excluded from change reports.

Path

For example:

*\Microsoft Exchange System Objects\SystemMailbox*

omitproplist_ecr.txt

Contains a list of object types and properties to be excluded from change reports.

object_type.property_name

NOTE: If there is no separator (.) between an object type and a property, the whole entry is treated as an object type.

For example:

msExchSystemMailbox.*

*.msExchEdgeSyncCredential

*.msExchMailboxMoveTargetMDBLink

*.adminDescription

omitreporterrors_ecr.txt

Contains a list of errors to be excluded from Activity Summaries.

Error message text

For example, to omit the error “The HTTP service used by Public Folders is not available, possible causes are that Public stores are not mounted and the Information Store service is not running. ID no: c1030af3”, add *c1030af3* to the file.

omitservers.txt

Specify Exchange servers that you want to exclude from data collection and reporting.

Syntax: host name or FQDN of Exchange server

Each entry must be a separate line. Wildcards (*) can be used to replace any number of characters. Use them to exclude multiple servers.

Examples:

exchangesrv01

exch*.mydomain .local

omitstorelist_ecr.txt

Contains a list of classes and attributes names to be excluded from Exchange snapshots.

object_type.property_name

NOTE: If there is no separator (.) between an object type and a property, the whole entry is treated as an object type.

For example:

Exchange_Server.AdministrativeGroup

Exchange_Server.AdministrativeNote

Exchange_Server.CreationTime

propnames_ecr2007.txt

Contains a list of human-readable names for object classes and attributes of Exchange 2007 to be displayed in change reports.

classname.attrname=
intelligiblename

For example:

msExchMDBAvailabilityGroup= Database Availability Group

To exclude users or mailboxes from the Mailbox Access monitoring scope

Netwrix Auditor allows specifying users and mailboxes that you do not want to monitor for non-owner mailbox access events. To do this, edit the mailboxestoexclude.txt, userstoexclude.txt, and agentomitusers.txt files.

  1. Navigate to the %Netwrix Auditor installation folder%\Non-owner Mailbox Access Reporter for Exchange folder.
  2. Edit mailboxestoexclude.txt, userstoexclude.txt, or agentomitusers.txt files, based on the following guidelines:

    • Each entry must be a separate line.
    • Wildcards (* and ?) are supported.
    • Lines that start with the # sign are treated as comments and are ignored.

    NOTE: You can also limit your reports by specific mailboxes. Edit the mailboxestoinclude.txt file to specify mailboxes.

File Description Syntax

mailboxestoexclude.txt

This file contains a list of mailboxes and folders that must be excluded from data collection.

Each entry must be a separate line. Wildcards (*) can be used to replace any number of characters.

  • To exclude the certain user's mailbox, enter username@domainname , e.g.john.smith@acme.com
  • To exclude the certian folder, enter username@domainname/foldername , e.g. john.smith@acme.com/Drafts
  • Use *to exclude multiple mailboxes or folders, e.g. */foldername will exclude the specified folder when processing all mailboxes.

Examples:

*admin*@corp.com

*/Drafts - exclude Drafts folder (for all mailboxes)

*/Testfolder/* - exclude subfolders of Testfolder (for all mailboxes)

mailboxestoinclude.txt

This file contains a list of mailboxes that must be included when collecting data.

NOTE: For the mailboxes added to this list, the reports will contain only non-owner access events.

Specify email address to be included in the list as username@domainname.

Example: analyst@enterprise.com

userstoexclude.txt

This file contains a list of users who must be excluded from reports if they perform non-owner access attempt for mailboxes (audit data on these users will still be stored in the state-in-time snapshots).

NOTE: If a user is removed from this list, the information on this user’s actions can be viewed with the Report Viewer.

DOMAIN\username

agentomitusers.txt

This file contains a list of users who must be excluded from reports and snapshots.

NOTE: If a user is removed from this list, audit data on this user will only be available after the next data collection. Writing new users to this file affects reports and snapshots only if Network traffic compression is enabled.

DOMAIN\username

 

Go Up