False File Reads detected when auditing EMC Celerra

File Server
Copy Article URL Copied

You have a Managed Object configured to audit EMC Celerra. Change Summary emails, Reports and Searches for this Managed Object contain multiple false File Read changes.

Netwrix Auditor periodically checks audit settings (SACL) on the audited file shares. Relating to EMC Celerra, this causes generation of some specific internal events. Further, Netwrix Auditor interprets and reports these events as File Read attempts.

You can resolve this issue in two ways.

To disable auditing File Read attempts.

  1. In Netwrix Auditor Administrator Console, navigate to Managed Objects -> <Your File Servers Managed Object name> -> File Servers.
  2. Uncheck the Successful reads.

To exclude specific events from the auditing scope.

  1. On the computer where Netwrix Auditor Administrator Console is installed, navigate to %Netwrix Auditor installation folder%File Servers Auditing and open the omitstore.txt file with Notepad.
  2. Add the rows below to the .txt file:
*,Read,<DPA>,File or Folder,*,
where <DPA> is your Data Processing Account name in the DomainUser format.
Go Up