Exchange Monitoring Scope
You can fine-tune Auditor by specifying data that you want to exclude from the Exchange monitoring scope. In addition, you can exclude data from non-owner access auditing.
- Exchange Monitoring Scope
- To exclude users or mailboxes from the Mailbox Access monitoring scope
Follow the steps to exclude data from the Exchange monitoring scope:
Step 1 – Navigate to the %Netwrix Auditor installation folder%\Active Directory Auditing folder.
Step 2 – Edit the *.txt files, based on the following guidelines:
- Each entry must be a separate line.
- A wildcard (*) is supported. You can use * for cmdlets and their parameters.
- Lines that start with the # sign are treated as comments and are ignored.
| File | Description | Syntax |
|---|---|---|
| aal_omitlist.txt | For Exchange 2010 and above, the file contains a list of changes performed by cmdlets. To exclude a change from reports, specify name of a cmdlet and the attribute that is changed by the selected cmdlet. | cmdlet.attrname For example: Set-User Set-ContactSet-Group #Update-AddressList Add-ADPermissionRemove-ADPermission #RBAC: *-MailboxAuditLogSearch *-AdminAuditLogSearch |
| aal_propnames.txt | For Exchange 2010 and above, the file contains a list of human-readable names of changed attributes to be displayed in change reports. To exclude a change from the reports, specify name of a cmdlet and the attribute that is changed by the selected cmdlet. | classname.attrname= intelligiblename For example: *-OutlookAnywhere.SSLOffloading = Allow secure channel (SSL) offloading |
| omitobjlist_ecr.txt | Contains a list of human-readable names of object classes to be excluded from change reports. | Classname For example: exchangeAdminService msExchMessageDeliveryConfig Exchange_DSAccessDC |
| omitpathlist_ecr.txt | Contains a list of AD paths to be excluded from change reports. | Path For example: *\Microsoft Exchange System Objects\SystemMailbox* |
| omitproplist_ecr.txt | Contains a list of object types and properties to be excluded from change reports. | object_type.property_name If there is no separator (.) between an object type and a property, the whole entry is treated as an object type. For example: msExchSystemMailbox.* *.msExchEdgeSyncCredential *.msExchMailboxMoveTargetMDBLink *.adminDescription |
| omitreporterrors_ecr.txt | Contains a list of errors to be excluded from Activity Summaries. | Error message text For example, to omit the error “The HTTP service used by Public Folders is not available, possible causes are that Public stores are not mounted and the Information Store service is not running. ID no: c1030af3”, add *c1030af3* to the file. |
| omitstorelist_ecr.txt | Contains a list of classes and attributes names to be excluded from Exchange snapshots. | object_type.property_name If there is no separator (.) between an object type and a property, the whole entry is treated as an object type. For example: Exchange_Server.AdministrativeGroup Exchange_Server.AdministrativeNote Exchange_Server.CreationTime |
| propnames_ecr2007.txt | Contains a list of human-readable names for object classes and attributes of Exchange 2007 to be displayed in change reports. | classname.attrname= intelligiblename For example: msExchMDBAvailabilityGroup= Database Availability Group |
To exclude users or mailboxes from the Mailbox Access monitoring scope
Auditor allows specifying users and mailboxes that you do not want to monitor for non-owner mailbox access events. To do this, edit the mailboxestoexclude.txt, userstoexclude.txt, and agentomitusers.txt files.
Follow the steps to exclude data from Exchange Online monitoring scope
Step 1 – Navigate to the %Netwrix Auditor installation folder%\Non-owner Mailbox Access Reporter for Exchange folder.
Step 2 – Edit mailboxestoexclude.txt, userstoexclude.txt, or agentomitusers.txt files, based on the following guidelines:
- Each entry must be a separate line.
- A wildcard (*) is supported. You can use * for cmdlets and their parameters.
- Lines that start with the # sign are treated as comments and are ignored.
You can also limit your reports by specific mailboxes. Edit the mailboxestoinclude.txt file to specify mailboxes.
| File | Description | Syntax |
|---|---|---|
| mailboxestoexclude.txt | This file contains a list of mailboxes and folders that must be excluded from data collection. | Each entry must be a separate line. Wildcards (*) can be used to replace any number of characters. - To exclude the certain user's mailbox, enter username@domainname , e.g.john.smith@acme.com - To exclude the certian folder, enter username@domainname/foldername , e.g. john.smith@acme.com/Drafts - Use *to exclude multiple mailboxes or folders, e.g. */foldername will exclude the specified folder when processing all mailboxes. Examples: *admin*@corp.com */Drafts - exclude Drafts folder (for all mailboxes) */Testfolder/* - exclude subfolders of Testfolder (for all mailboxes) |
| mailboxestoinclude.txt | This file contains a list of mailboxes that must be included when collecting data. For the mailboxes added to this list, the reports will contain only non-owner access events. | Specify email address to be included in the list as username@domainname. Example: analyst@enterprise.com |
| userstoexclude.txt | This file contains a list of users who must be excluded from reports if they perform non-owner access attempt for mailboxes (audit data on these users will still be stored in the state-in-time snapshots). If a user is removed from this list, the information on this user’s actions can be viewed with the Report Viewer. | DOMAIN\username |
| agentomitusers.txt | This file contains a list of users who must be excluded from reports and snapshots. If a user is removed from this list, audit data on this user will only be available after the next data collection. Writing new users to this file affects reports and snapshots only if Network traffic compression is enabled. | DOMAIN\username |