Help Center

Contact us

Exclude configuration

An exclusion list is used to exempt certain trusted entities or trivial or unwanted files from being audited. Configuring an exclusion list also saves storage space, since audit logs are not generated for the excluded entities. Consequently, entities in exclusion lists will not be listed in reports and will also not trigger alerts.

Some of the entities that you can choose to exclude from auditing:

  • Trusted users and administrators
  • Processes like antivirus or file backup services
  • Temporary or non-critical file types
  • Computer accounts
  • Files in a specific location

Only administrative technician accounts can view and modify the exclusion list. To view the configured exclusion lists:

  • Select File Audit from the application drop-down.
  • Go to Configuration > General Settings > Exclude Configuration.
  • Here, you will see the Global Exclusion and Server-Specific Exclusion tabs.

A) Global exclusions

When an entity is added to the Global Exclusion list, it will be exempted from auditing across all configured servers.

To edit the Global Exclusion list:

  • Select File Audit from the application drop-down.
  • Go to Configuration > General Settings > Exclude Configuration > Global Exclusion.
  • Click the + next to the Applied Servers field.
  • In the Select Servers pop-up, pick the servers in which you wish to apply the Global Exclusion conditions and click Select.
  • In the Conditions section, add the entities you wish to exempt from auditing using the available criteria. Click + to add a condition and x to delete a condition.
  • Click Save, then click OK.

For example, if you want to exclude events generated by your antivirus software, set the exclusion conditions as:

User Object = In = NONE

Action = In = Read

File Type = In = NONE

Process Name = Equals = C:\Program Files\AV Endpoint Security\av.exe

B) Server-specific exclusions

When an entity is added to the Server-Specific Exclusion list, that entity is exempted from auditing only in that particular server. To edit the exclusion criteria applied to a configured server:

  • Select File Audit from the application drop-down.
  • Go to Configuration > General Settings > Exclude Configuration.
  • Choose the target server from the Selected Server field.
  • The Conditions section displays the exclusion criteria applied locally in that server, as well as the conditions inherited from the Global Exclusion list.
  • To exclude more entities than in the conditions inherited from the global exclusions, use the available criteria. Click + to add a condition and x to delete a condition.
  • To delete one entity within a condition, click the corresponding field to view all the entities in that condition. Click the delete icon next to the entity you wish to remove from the exclusion list.
  • Click Save, then click OK.

For example, say the Global Exclusion list is:

User Object = In = NONE

Action = In = NONE

File Type = In = tmp, thm

If you want to additionally exempt auditing Modify actions in the location of a backup in Server01:

  • Select Server01 from the Selected Server field.
  • Set the server-specific conditions as:
  • User Object = In = NONE

    Action = In = Modify

    Local Path = Starts With = C:\Program Files\DataSecurity Plus\Backup

    Process Name = Equals = C:\Program Files \Backup Solution\bp.exe

  • Click Save, then click OK.

The corresponding entities will be excluded from auditing in Server01 alone.

Don't see what you're looking for?

  • Visit our community

    Post your questions in the forum.

     
  • Request additional resources

    Send us your requirements.