I'm trying to monitor file changes within a specific location on a production server's d:\ drive (d:\filestomonitor), but want to exclude a sub-folder, 'Logs', within it (d:\filestomonitor\Logs). I'm using the following expression:
[filter:blacklist:Logs-blacklist]
regex1 = D:\filestomonitor\.*\Logs\
[fschange:D:\filestomonitor\*]
index=_audit
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000
filters = configs,Logs-blacklist
Could somebody please help provide me with the correct syntax?
Appreciate your help!
... View more
Thank you lukejadamec!
Works nicely, but I see a lot of service accounts in there that I do not want to report on.
If I were to use:
EventCode=528 | eval Account_Name=mvindex(Account_Name,1) | eval UserAccount=coalesce(Account_Name,User_Name) | dedup UserAccount | table_time,UserAccount,Workstation_Name
How would I specify AD accounts in a specific OU?
... View more