Hi,

I am trying to filter out some object access auditing on a particular
file share; I can't turn off auditing directly on the share. I am trying
to figure out what parameter to use to filter it out using a Filter Rule
under the Windows Data Collection Policy in SAM.

The event takes the form below under the General Section of the event:

Subject:
Security ID:[domain\username]
Account Name: [username]
Account Domain: [domain]
Logon ID: [id]

Network Information:
Object Type: File
Source Address: [x.x.x.x]
Source Port: [xxxx]

Share Information:
Share Name: \\*\[share_name]
Share Path: \??\[sharepath]
Relative Target Name: [targetpath]


UNDER DETALIS - FRIENDLY VIEW:

EventData

SubjectUserSid [SID]
SubjectUserName [username]
SubjectDomainName [Domain]
SubjectLogonId [ID]
ObjectType File
IpAddress [x.x.x.x]
IpPort [xxx]
ShareName \\*\[sharename]
ShareLocalPath \??\[sharepath]
RelativeTargetName [targetpath]


If I filter on share_name is this Parameter 8 or is it another
Parameter?

My filter is:
Event Number equals 5145
Source Name equals Microsoft-Windows-Security-Auditing
Parameter 8 contains substring share_name (my share contains an
underscore I'm wondering should I be using a regex or wildcard here to
match)

The above doesn't appear to be filtering out the event. Any pointers
appreciated!

Thanks

Paul


--
rochfordp
------------------------------------------------------------------------
rochfordp's Profile: https://forums.netiq.com/member.php?userid=6749
View this thread: https://forums.netiq.com/showthread.php?t=55114