How To Use Omit Lists

Reference
9.8
omit
omit list
omitlist
https://kb.netwrix.com/4845
Copy Article URL Copied

Omit lists can serve as handy tools for filtering unwanted data or “noise”. It is important to take careful consideration when making an omission. All omit lists include instructions and examples at the top of the text file. Below are omit lists organized by data source.


Active Directory

Active Directory omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing”

  • Omitallowedpathlist
    • Allows you to exclude Active Directory paths from Active Directory change reports
    • Entry Example: domain/OU1
  • Omiteventuserlist
    • Specify users you want to omit in the Who column in Active Directory search results, reports and Change Summaries. All other audit data regarding the specified user will be displayed.
    • Entry Example: Domain\Username or *svc*
  • Omitobjlist
    • Specify object classes you want to exclude from AD change reports.
    • Entry Example: dnsNode or printQueue
  • Omitonrenamelist
    • Specify object classes and attributes you want to exclude from AD change reports when an item is renamed/moved.
    • Entry Example: classname.attrname
  • Omitpathlist
    • Specify the AD paths you want to exclude from AD change reports.
    • Entry Example: *\HealthMailbox*
  • Omitproplist
    • Specify object classes and attributes you want to exclude from AD change reports.
    • Entry Example: classname.attrname or *.msDS-GenerationId
  • Omitreporterrors
    • Specify errors you want to exclude from AD change reports.
    • Entry Example: error text or *401*
  • Omitreportproplist
    • Put object classes and attributes you don’t want to be included in AD change reports.
    • Entry Example: classname.attrname
  • Omitsitproplist
    • Specify object classes and attributes you want to exclude from Active Directory State-in-Time reports.
    • Entry Example: classname.attrname
  • Omitsnapshotpathlist
    • Put AD paths you don’t want to be included in AD snapshots.
    • Entry Example: *\OU1\*
  • Omitstorelist
    • Specify object classes and attributes you want to exclude from AD snapshot.
    • Entry Example: classname.attrname
  • Omituserlist
    • Specify users whose activity you want to exclude from Active Directory search results, reports and Change Summaries.
    • Entry Example: Domain\Username or *\Administrator

Azure AD

Azure AD omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\Azure AD Auditing”

  • OmitPropList
    • Specify object classes and attributes you want to exclude from Azure AD search results, reports and Change Summaries.
    • Entry Example: classname.attrname
  • Omituserlist
    • Specify users whose activity you want to exclude from Azure AD search results, reports and Change Summaries.
    • Entry Example: user@tenant.com

Event Log Manager

Event Log Manager omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\Event Log Management”

  • OmitErrorList
    • Specify errors that occurred during data collection and that you want to exclude from saving to the Netwrix Auditor System Health event log.
    • Entry Example: Error Text or *Error Text*
  • OmitServerList
    • Specify the IP addresses or names of the servers you want to exclude from processing.
    • Entry Example: ip address or server name

Exchange

Exchange omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing”

  • Omitexchangeserverlist
    • Specify the Microsoft Exchange 2010 servers to be excluded from data collection.
    • Entry Example: Servername.Domain.local
  • Omitobjlist_ecr
    • Specify object classes you want to exclude from MS Exchange change reports.
    • Entry Example: Exchange_DSAccessDC
  • Omitpathlist_ecr
    • Specify AD paths you want to exclude from ECR change reports.
    • Entry Example: *HealthMailbox*
  • Omitproplist
    • Specify object classes and attributes you want to exclude from MS Exchange change reports.
    • Entry Example: classname.attrname or msExchSystemMailbox.*
  • Omitreporterrors_ecr
    • Specify errors you want to exclude from MS Exchange change reports.
    • Entry Example: error text or *mailbox not found*
  • Omitserverlist_ecr
    • Specify the Microsoft Exchange 2003 servers to be excluded from data collection.
    • Entry Example: NetBIOS
  • Omitstorelist_ecr
    • Specify object classes and attributes you want to exclude from MS Exchange snapshot.
    • Entry Example: classname.attrname
  • Omitevents
    • Events to be excluded from the reports are listed here. This omit list is found at “C:\Program Files (x86)\Netwrix Auditor\Non-owner Mailbox Access Reporter for Exchange\omitevents.txt”

Exchange Online

Exchange Online omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\Exchange Online Auditing”

  • Omitlist
    • Specify Administrator Audit Logging cmdlets and cmdlet parameters that you want to exclude from Exchange Online search results, reports and Change Summaries.
    • Entry Example: cmdlet or cmdlet.param
  • OmitPathList
    • Specify paths you want to exclude from Exchange Online search results, reports and Change Summaries.
    • Entry Example: FederatedEmail.*
  • OmitUserList
    • Specify user names you want to exclude from Exchange Online search results, reports and Change Summaries.
    • Entry Example: Domain\Username

File Server

File Server omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\File Server Auditing”

  • Omitcollectlist
    • Specify objects you want to exclude from being audited.
    • Entry Example: Monitoring plan name,server name,resource path
  • Omiterrors
    • Specify errors and warnings you want to exclude from logging to the Netwrix Auditor System Health event log.
    • Entry Example: Monitoring plan name,Server name,error text
  • Omitreportlist
    • Specify objects you want to exclude from showing up in reports and Change Summaries. Note that in this case audit data is still being collected and saved to Audit Archive.
    • Entry Example: Monitoring plan name,Change Type,who changed,resource type,resource path,property name
  • Omitstorelist
    • Specify objects you want to exclude from being stored to Audit Archive and showing up in reports. Note that in this case audit data is still being collected.
    • Entry Example: Monitoring plan name,Change Type,who changed,resource type,resource path,property name
  • Omitstoreprocesslist
    • Specify applications you want to exclude from being stored to Audit Archive and showing up in reports. Note that only applications running locally on the file server will be excluded.
    • Entry Example: Monitoring plan name,resource path,executable path

Group Policy

Group Policy omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing”

  • omitobjlist_gp
    • Specify Group Policy Object names you want to exclude from Group Policy change reports.
    • Entry Example: GPO_Name
  • omitproprlist_gp
    • Specify Group Policy Object settings you want to exclude from Group Policy change reports.
    • Entry Example: settingname
  • Omituserlist_gp
    • Specify user names you want to exclude from GP change reports.
    • Entry Example: Domain\Username

Logon Activity

Logon Activity omit lists are found under C:\ProgramData\Netwrix Auditor\NLA\Settings. There may be more than one GUID (a series of numers/letters. These are related to current and possibly old Logon Activity monitoring plans. Drill down through the most recently modified GUID.

  • Settings.cfg
    • This file allows you to omit Domain Controllers and specific users
    • Entry Examples
      • When omitting Domain Controllers, copy the line <v v=”OmittedDomainControllerNameInWildcardFormat1″/>
      • Paste it below the original and replace the middle text like so <v v=”DCNAME”/>
      • When omitting users, copy one of the pre-existing lines and enter a specified users on a new line
      • <v v=”*USERNAME”/>

Password Expiration Notifier

Password Expiration Notifier omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\Password Expiration Alerting”

  • Omitoulist
    • This file defines a list of OUs to exclude from processing. To specify these OUs and subOUs.
    • Entry Example: OU=PEN_Test2,PEN_Test

SQL Server Auditing

SQL Server Auditing omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\SQL Server Auditing”

  • Omitarlist
    • Specify activity records you want to exclude from showing up in reports, search, and activity summaries. This .txt file has no effect on SQL logons monitoring. Use the omitlogonlist.txt to exclude SQL logons from being monitored.
    • Entry Example: Monitoring plan name,SQL Server instance,object type,account,workstation,application name
  • Omitlogonlist
    • Specify logons you want to exclude from being audited.
    • Entry Example: Monitoring plan name,SQL Server instance,logon type,account,workstation,application name
  • Omitobjlist
    • Specify the object types that you want to exclude from showing up in reports, search, and activity summaries. In this case audit data is still being collected and saved to Long-Term Archive. Note: This omitlist does not affect logon activity auditing. To omit logons, use the omitlogonlist.txt. Available object types can be found in the “Object type” column in reports.
    • Entry Example: object_type_name or Database/Table/Column/etc
  • Omitpathlist
    • Specify the resource paths to objects that you want to exclude from showing up in search, reports and activity summaries. Note that in this case audit data is still being collected and saved to Long-Term Archive.
    • server_instance:resource_path or SERVER:Database
  • Omitproplist
    • Specify the names of attributes that you want to exclude from being audited and stored in Long-Term Archive. For a list of all available attributes, refer to Netwrix Auditor Administrator’s Guide (http://www.netwrix.com/download/documents/Netwrix_Auditor_Administrator_Guide.pdf).
    • Entry Example: object_type_name.property_name.attribute_name
  • Omitstorelist
    • Specify resource paths to SQL Server objects whose data shall not be stored in the Long-Term Archive. Note: This omitlist does not affect logon activity auditing. To omit logons, use the omitlogonlist.txt.
    • Entry Example: server_instance:resource_path
  • Omittracelist
    • If you do not want the product to enable SQL tracing on some of your SQL Server instances, specify their names in this omitlist. In this case the “Who”, “Workstation” and “When” values will not be reported correctly (except for content changes). Note: This omitlist does not affect logon activity auditing. If the “Audit SQL Server logons” option is enabled, Netwrix Auditor will create a dedicated SQL trace.
    • Entry Example: server\instance name

VMWare

VMWare omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\VMware Auditing”

  • Omitproplist
    • Specify SQL attributes that you wish to omit from the audit scope
    • Entry Example: Alarm/*.uf_name/ResourcePool.summary.*/etc

Windows Server

Windows Server omit lists are found under “C:\Program Files (x86)\Netwrix Auditor\Windows Server Auditing”

  • Omitcollectlist
    • Specify objects you want to exclude from being audited.
    • Entry Example: Monitoring plan name,server name,class name,property name,property value
  • Omiterrors
    • Specify errors and warnings you want to exclude from logging to the Netwrix Auditor System Health event log.
    • Entry Example: Monitoring plan name,server name,error text
  • Omitreportlist
    • Specify objects you want to exclude from showing up in reports and Change Summaries. Note that in this case audit data is still being collected and saved to Long-Term Archive.
    • Entry Example: Monitoring plan name,who,where,object type,what,property name
  • Omitsitcollectlist
    • Specify objects you do not want to include in state-in-time snapshots.
    • Entry Example: Monitoring plan name,server name,class name,property name,property value
  • Omitstorelist
    • Specify objects you want to exclude from being stored to AuditArchive and showing up in reports. Note that in this case audit data is still being collected.
    • Entry Example: Monitoring plan name,who,where,object type,what,property name
Go Up