Hi,
Great question — you have two options here depending on how far you want to go:
Option 1: Exclude from reports and Audit Archive (omit file)
You can use the omit store list file to suppress these specific events from appearing in reports and the Audit Archive:
File location: C:\Program Files (x86)\Netwrix Auditor\VMware Auditing\omitstorelist.txt
Add the following line:
*,root,*,Logon,VMware ESXi,Workstation,127.0.0.1
Important note: With this approach, events are still collected by Netwrix Auditor — they just won’t be stored or shown in reports. This means it will not stop the database from growing. However, it will clean up your reports and graphs significantly.
Option 2: Disable collection of all failed logons (stops DB growth)
If the database growth is your primary concern, you can disable the collection of failed logons entirely at the data source / monitoring plan level.
Go to your VMware monitoring plan settings and turn off the collection of Failed Logon events.
Trade-off: This will stop all failed logon events from being collected — not just the root/127.0.0.1 noise — so consider whether you need failed logon visibility for other accounts.
Recommendation: If you need to retain failed logon visibility for other users/hosts, Option 1 is the safer choice for report cleanliness. If the DB growth is critical and failed logons aren’t relevant to your use case, Option 2 is the cleanest solution.
Hope this helps! Let us know if you have any follow-up questions.
