Go Up
You are here: AdministrationAddress Specific Tasks with Netwrix Auditor ToolsMonitor Events with Netwrix Auditor Event Log ManagerConfigure Audit Archiving Filters for Event Log

Configure Audit Archiving Filters for Event Log

Audit archiving filters define what events will be saved to the Long-Term Archive or the Audit Database, and provide more granular reporting. For example, if you are going to audit Internet Information Services (IIS) or track health status of the product, enable the Internet Information Services Events or Netwrix Auditor System Health filter respectively. You can also skip certain events with exclusive filters (e.g., computer logons). You can enable or disable, and modify existing filters, and create new filters. To do it, click Configure next to Audit archiving filters.

The product allows creating inclusive and exclusive audit archiving filters.

To configure audit archiving filters, perform the following:

  • To create or modify an audit archiving filter, see To create or edit an audit archiving filter.
  • To collect events required to generate a specific report, you must select a filter which name coincides with this report’s name. Click Enable and select Filters for Reports. All filters required to store events for all available reports will be selected automatically.

To create or edit an audit archiving filter

  1. On the Audit archiving filters page, click Add or select a filter and click Edit.
  2. Complete the fields. Review the following for additional information:

    Option Description
    The Event tab

    Name

    Specify the filter name.

    Description

    Enter the description for this filter (optional).

    Event Log

    Select an event log from the drop-down list. You will be alerted on events from this event log. You can also input a different event log.

    To find out a log’s name, navigate to Start Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) Event Viewer Applications and Services Logs Microsoft Windows and expand the required <Log_Name> node, right-click the file under it and select Properties. Find the event log’s name in the Full Name field.

    Netwrix Auditor Event Log Manager does not collect the Analytic and Debug logs, so you cannot configure alerts for these logs.

    NOTE: You can use a wildcard (*). For inclusive filters: all Windows logs except for the ones mentioned above will be saved. For exclusive: all Windows logs events will be excluded.

    Write to/Don't write to

    Select the location to write/not to write events to, depending on the filter type (inclusive or exclusive).

    NOTE: It is recommended to write events both to the Long-Term Archive and to the Audit Database, because if your database is corrupted, you will be able to import the necessary data from the Long-Term Archive using the DB Importer tool. See Import Audit Data with the Database Importer for more information.

    The Event Fields tab

    Event ID

    Enter the identifier of a specific event that you want to be save. You can add several IDs separated by comma.

    Event Level

    Select the event types that you want to be save. If the Event Level check box is cleared, all event types will be saved.

    NOTE: If you want to select the inclusive Success Audit/Failure Audit filters, note that on these platforms these events belong to the “Information” level, so they will not be collected if you select the Information checkbox in the Exclusive Filters.

    Computer

    Specify a computer (as it is displayed in the Computer field in the event properties). Only events from this computer will be saved.

    NOTE: If you want to specify several computers, you can define a case-sensitive mask for this parameter. Below is an example of a mask:

    • * - any machine
    • computer – a machine named ‘computer’
    • *computer* - machines with names like ‘xXxcomputerxXx’ or ‘newcomputer’
    • computer? – machines with names like ‘computer1’ or ‘computerV’
    • co?puter - machines with names like ‘computer’ or ‘coXputer’
    • ????? – any machine with a 5-character name
    • ???* - any machine with a 3-character name or longer

    User

    Enter a user’s name. Only events created by this user will be saved.

    NOTE: If you need to specify several users, you can define a mask for this parameter in the same way as described above.

    Source

    Specify this parameter if you want to save events from a specific source. Input the event source as it is displayed in the Source field in the event properties.

    NOTE: If you need to specify several sources, you can define a mask for this parameter in the same way as described above.

    Category

    Specify this parameter if you want to save a specific events category.
    The Insertion Strings tab

    Consider the following event Insertion Strings

    Specify this parameter if you want to store events containing a specific string in the EventData. You can use a wildcard (*). Click Add and specify Insertion String.

Go Up