Audit archiving filters define what events will be saved to the Long-Term Archive or the Audit Database, and provide more granular reporting. For example, if you are going to audit Internet Information Services (IIS) or track health status of the product, enable the Internet Information Services Events or Netwrix Auditor System Health filter respectively. You can also skip certain events with exclusive filters (e.g., computer logons). You can enable or disable, and modify existing filters, and create new filters. To do it, click Configure next to Audit archiving filters.
The product allows creating inclusive and exclusive audit archiving filters.
To configure audit archiving filters, perform the following:
- To create or modify an audit archiving filter, see To create or edit an audit archiving filter.
- To collect events required to generate a specific report, you must select a filter which name coincides with this report’s name. Click Enable and select Filters for Reports. All filters required to store events for all available reports will be selected automatically.
- On the Audit archiving filters page, click Add or select a filter and click Edit.
Complete the fields. Review the following for additional information:
Option Description The Event tab
Specify the filter name.
Enter the description for this filter (optional).
Select an event log from the drop-down list. You will be alerted on events from this event log. You can also input a different event log.
To find out a log’s name, navigate to Start → Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) → Event Viewer → Applications and Services Logs → Microsoft → Windows and expand the required <Log_Name> node, right-click the file under it and select Properties. Find the event log’s name in the Full Name field.
Netwrix Auditor Event Log Manager does not collect the Analytic and Debug logs, so you cannot configure alerts for these logs.
NOTE: You can use a wildcard (*). For inclusive filters: all Windows logs except for the ones mentioned above will be saved. For exclusive: all Windows logs events will be excluded.
Write to/Don't write to
Select the location to write/not to write events to, depending on the filter type (inclusive or exclusive).
NOTE: It is recommended to write events both to the Long-Term Archive and to the Audit Database, because if your database is corrupted, you will be able to import the necessary data from the Long-Term Archive using the DB Importer tool. See Import Audit Data with the Database Importer for more information.
The Event Fields tab
Enter the identifier of a specific event that you want to be save. You can add several IDs separated by comma.
Select the event types that you want to be save. If the Event Level check box is cleared, all event types will be saved.
NOTE: If you want to select the inclusive Success Audit/Failure Audit filters, note that on these platforms these events belong to the “Information” level, so they will not be collected if you select the Information checkbox in the Exclusive Filters.
Specify a computer (as it is displayed in the Computer field in the event properties). Only events from this computer will be saved.
NOTE: If you want to specify several computers, you can define a case-sensitive mask for this parameter. Below is an example of a mask:
- * - any machine
- computer – a machine named ‘computer’
- *computer* - machines with names like ‘xXxcomputerxXx’ or ‘newcomputer’
- computer? – machines with names like ‘computer1’ or ‘computerV’
- co?puter - machines with names like ‘computer’ or ‘coXputer’
- ????? – any machine with a 5-character name
- ???* - any machine with a 3-character name or longer
Enter a user’s name. Only events created by this user will be saved.
NOTE: If you need to specify several users, you can define a mask for this parameter in the same way as described above.
Specify this parameter if you want to save events from a specific source. Input the event source as it is displayed in the Source field in the event properties.
NOTE: If you need to specify several sources, you can define a mask for this parameter in the same way as described above.
Specify this parameter if you want to save a specific events category. The Insertion Strings tab
Consider the following event Insertion Strings
Specify this parameter if you want to store events containing a specific string in the EventData. You can use a wildcard (*). Click Add and specify Insertion String.