Go Up
You are here: AdministrationAdditional ConfigurationExclude Objects from Monitoring ScopeExchange Monitoring Scope

Exclude Data from Exchange Monitoring Scope

You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Exchange monitoring scope. In addition, you can exclude data from non-owner access auditing.

To exclude data from Exchange monitoring scope

  1. Navigate to the %Netwrix Auditor installation folder%\Active Directory Auditing folder.
  2. Edit the *.txt files, based on the following guidelines:

    • Each entry must be a separate line.
    • A wildcard (*) is supported. For example, you can use * for a class name to specify an attribute for all classes.
    • Lines that start with the # sign are treated as comments and are ignored.
File Description Syntax

aal_omitlist.txt

For Exchange 2010 and above, the file contains a list of changes performed by cmdlets. To exclude a change from reports, specify name of a cmdlet and the attribute that is changed by the selected cmdlet.

cmdlet.attrname

For example:

Set-User

Set-ContactSet-Group

#Update-AddressList

Add-ADPermissionRemove-ADPermission

#RBAC:

*-MailboxAuditLogSearch

*-AdminAuditLogSearch

aal_propnames.txt

For Exchange 2010 and above, the file contains a list of human-readable names of changed attributes to be displayed in change reports. To exclude a change from the reports, specify name of a cmdlet and the attribute that is changed by the selected cmdlet.

classname.attrname=
intelligiblename

For example:

*-OutlookAnywhere.SSLOffloading = Allow secure channel (SSL) offloading

omitobjlist_ecr.txt

Contains a list of human-readable names of object classes to be excluded from change reports.

Classname

For example:

exchangeAdminService

msExchMessageDeliveryConfig

Exchange_DSAccessDC

omitpathlist_ecr.txt

Contains a list of AD paths to be excluded from change reports.

Path

For example:

*\Microsoft Exchange System Objects\SystemMailbox*

omitproplist_ecr.txt

Contains a list of object types and properties to be excluded from change reports.

object_type.property_name

NOTE: If there is no separator (.) between an object type and a property, the whole entry is treated as an object type.

For example:

msExchSystemMailbox.*

*.msExchEdgeSyncCredential

*.msExchMailboxMoveTargetMDBLink

*.adminDescription

omitreporterrors_ecr.txt

Contains a list of errors to be excluded from Activity Summaries.

Error message text

For example, to omit the error “The HTTP service used by Public Folders is not available, possible causes are that Public stores are not mounted and the Information Store service is not running. ID no: c1030af3”, add *c1030af3* to the file.

omitexchangeserverlist.txt

Defines Exchange 2010 and above servers to be excluded from data collection.

FQDN_server_name

For example:

mailserver01.ent.local

omitstorelist_ecr.txt

Contains a list of classes and attributes names to be excluded from Exchange snapshots.

object_type.property_name

NOTE: If there is no separator (.) between an object type and a property, the whole entry is treated as an object type.

For example:

Exchange_Server.AdministrativeGroup

Exchange_Server.AdministrativeNote

Exchange_Server.CreationTime

propnames_ecr2007.txt

Contains a list of human-readable names for object classes and attributes of Exchange 2007 to be displayed in change reports.

classname.attrname=
intelligiblename

For example:

msExchMDBAvailabilityGroup= Database Availability Group

To exclude users or mailboxes from the Mailbox Access monitoring scope

Netwrix Auditor allows specifying users and mailboxes that you do not want to monitor for non-owner mailbox access events. To do this, edit the mailboxestoexclude.txt, userstoexclude.txt, and agentomitusers.txt files.

  1. Navigate to the %Netwrix Auditor installation folder%\Non-owner Mailbox Access Reporter for Exchange folder.
  2. Edit mailboxestoexclude.txt, userstoexclude.txt, or agentomitusers.txt files, based on the following guidelines:

    • Each entry must be a separate line.
    • Wildcards (* and ?) are supported.
    • Lines that start with the # sign are treated as comments and are ignored.

    NOTE: You can also limit your reports by specific mailboxes. Edit the mailboxestoinclude.txt file to specify mailboxes.

File Description

mailboxestoexclude.txt

This file contains a list of mailboxes and folders that must be excluded from reports.

You can specify a ‘Mailbox_Name’, a ‘Mailbox_Name/Folder_Name’, or use wildcards (*/Folder_Name).

In the last example, the specified folder will be excluded in all mailboxes. If the Netwrix Auditor Mailbox Access Core Service is disabled, the ‘Mailbox_Name/Folder_Name’ lines are ignored.

mailboxestoinclude.txt

This file contains a list of mailboxes that must be included to reports.

You can specify email address to be included in the list. For example, analyst@enterprise.com.

NOTE: In this case, reports will contain only non-owner access events of the mailboxes added to this list.

userstoexclude.txt

This file contains a list of users in the DOMAIN\username format, who must be excluded from reports if they perform non-owner access to mailboxes (audit data on these users will still be stored in the snapshots).

If a user is removed from this list, the information on this user’s actions can be viewed with the Report Viewer.

agentomitusers.txt

This file contains a list of users in the DOMAIN\username format, who must be excluded from reports and snapshots.

If a user is removed from this list, audit data on this user will only be available after the next data collection. Writing new users to this file affects reports and snapshots only if Network traffic compression is enabled.

 

Go Up