SQL Server Monitoring Scope
You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the SQL Server monitoring scope.
Follow the steps to exclude data from the SQL Server monitoring scope.
Step 1 – Navigate to the %Netwrix Auditor install folder%\SQL Server Auditing folder.
Step 2 – Edit the *.txt files, based on the following guidelines:
- Each entry must be a separate line.
- A wildcard (*) is supported. You can use * for cmdlets and their parameters.
- Lines that start with the # sign are treated as comments and are ignored.
| File | Description | Syntax |
|---|---|---|
| omitarlist.txt | Lists activity records to exclude from showing up in reports, search, and activity summaries. This omit list does not affect triggerless data collection mode, SELECT statements auditing and SQL logons monitoring. Use the omitlogonlist.txt to exclude SQL logons from monitoring. Use the omitreadaccess.txt to exclude SELECT statements from monitoring. | Specify the following fields of the activity records to exclude: Monitoring plan name, `````` SQL Server instance,object type, `````` account,workstation,application name Wildcard (*) is supported and can replace any number of characters. For the account, workstation, application name fields, you can specify a mixed expression that contains both a value and a wildcard (e.g., Admin*). For example: SQLPlan,Ent-SQL,Table,guest,WksSQL,MyInternalApp |
| omiterrorlist.txt | Contains a list of errors and warnings to be excluded from logging to the Netwrix Auditor System Health event log. | Monitoring plan name,item name,error text Wildcard (*) is supported and can replace any number of characters. For example: *,sqlserver1.corp.local, *Access is denied* |
| omitlogonlist.txt | Contains a list of logons to exclude from monitoring. | monitoring plan name,SQL Server instance,logon type,account,workstation,application name For the account, workstation, application name fields, you can specify a mixed expression that contains both a value and a wildcard (e.g., Admin*). The following logon types are supported: - NtLogon — Successful logon attempt made through Windows authentication. - SqlLogon — Successful logon attempt made through SQL Server authentication. - NtFailedLogon — Failed logon attempt made through Windows authentication. - SqlFailedLogon — Failed logon attempt made through SQL Server authentication. For example: DB_M0,Ent-SQL,SQLFailedLogon,guest,WksSQL,MyInternalApp |
| omitobjlist.txt | Contains a list of object to exclude from showing up in reports, search results and activity summaries. Audit data, however, will still be collected and saved to Long-Term Archive. This omit list does not affect SELECT statements auditing, data changes auditing and logon activity auditing. Use the omitlogonlist.txt to exclude logon activity from monitoring. Use the omitreadaccess.txt to exclude SELECT statements from monitoring. | object_type_name Available object types can be found in the "Object type" column in reports. For example: Database Column |
| omitpathlist.txt | Specify the resource paths to objects that you want to exclude from showing up in search, reports and activity summaries. Audit data, however, will still be collected and saved to Long-Term Archive. This omit list does not affect triggerless data collection mode, SELECT statements auditing and logon activity auditing. Use the omitlogonlist.txt to exclude logon activity from monitoring. Use the omitreadaccess.txt to exclude SELECT statements from monitoring. | server_instance:resource_path where: - server_instance — SQL Server instance, use * for all servers - resource_path — resource path as shown in the "What" column of SQL Server report, or in search results Wildcard * is supported and can replace any part of the path. For example, to exclude information about databases whose names start with "tmp" on the SQL Server instance "PROD.SQL2012": PROD.SQL2012:Databases\tmp*. |
| omitproplist.txt | Contains a list of attributes to be excluded from being monitored and stored to the Audit Archive. | object_type_name.property_name.attribute_name where: - object_type_name—Can be found in the found in the Object Type column in change reports. - property_name—Can be found in the Details column (property name is bold). - attribute_name—Can be found in the Details column (attribute name is not bold). If an object does not have an attribute name, use the * character. For example to exclude information about the Size attribute of the Database File property in all databases: Database.Database File.Size. |
| omitstorelist.txt | Contains a list of SQL Server objects that you want to exclude from data collection and reporting. This list is only relevant to operations with SQL Server objects; it does not affect triggerless data collection mode, SELECT statements auditing and logon activity auditing. To configure exclusions for logon activity auditing (Windows or SQL logons), use the omitlogonlist.txt. Use the omitreadaccess.txt to exclude SELECT statements from monitoring. | server_instance:resource_path where: - server_instance — SQL Server instance. For all instances, use wildcard (*). - resource_path — path as shown in the "What" column of SQL Server report, or in search results. Wildcard (*) can be used to replace any number of characters. For example, to exclude information about server roles on the SQL Server instances whose names start with njsqlsrv23, enter: njsqlsrv23*:Security\Server Roles\* |
| omittracelist.txt | If you do not want the product to enable SQL tracing on some of your SQL Server instances, specify their names in this omitlist. In this case the "Who", "Workstation" and "When" values will not be reported correctly (except for content changes). This omit list does not affect triggerless data collection mode, SELECT statements auditing and logon activity auditing. Use the omitlogonlist.txt to exclude logon activity from monitoring. Use the omitreadaccess.txt to exclude SELECT statements from monitoring. | Enter the name of SQL Server instance, use * for all servers: server\instance name Wildcard (*) is supported and can replace any number of characters, e.g., MYSERVER_SQL* Examples: * *\SQLExpress MYSERVER\* |
| propnames.txt | Contains a list of human-readable names for object types and properties to be displayed in the change reports. | object_type_name.property_name=friendlyname For example: *.Date modified=Modification Time |