This may not be a common issue but we have a scenario for our file server monitoring where we have a specific share that we want increased auditing while the remaining shares have our default audit settings: changes (success/fail) and read (fail). For the extra auditing shares we want success/fail for both changes and reads.
Opened a case to see if Auditor could automatically do this and the answer was to move to manual configuration of the audit settings (disable the ‘adjust audit settings automatically’). That’s fine, we’ll monitor for new shares and make sure that they get the audit settings correctly and are configured since Netwrix will not set them automatically now.
We manually increased the one share we’re working with and it’s auditing as expected and everything is working fine. However, even though we have automatically adjust disabled, it appears it still validates the settings on the shares to make sure they match our default audit settings on the monitoring plan so now we’re getting multiple error events for the monitoring plan that say the one share has incorrectly configured auditing entries.
Hopefully this makes sense… is there a solution for this? Either to automatically configure everything (but exclude the handful of special shares) or leave the auto disabled and have it not try and validate the special shares audit settings?
Welcome to the Netwrix Community! Hopefully I’ll be able to help you get this issue figured out.
What you should actually do is have two File Server plans in this case.
On plan 1, you have the entire File Server, with the settings that you want for a majority of the shares on the server. You are welcomed to keep Automatically Adjust Audit Settings enabled. In that plan, you would edit the “Scope” of the plan and exclude the share that you want the additional auditing on. That would prevent us from worrying about the auditing settings for that share.
On plan 2, you would add just the individual share that you want the higher auditing on instead of adding the entire file server. You could also leave Automatically Adjust Audit settings on for that plan. You would chose the higher level of auditing on that. When creating the 2nd plan, make sure you give it a different database name.
If you need some help setting that up, just let me know, I can share some screenshots on that type of set up.
Thanks Michael. Was trying to avoid multiple Monitoring Plans but it sounds like that might work (possibly a feature request to add to a future build? allowing different audit settings per share).
Looking at the ‘special’ monitoring plan and how to set that up, I just see exclusions but nowhere to ‘include’ the shares I want. If I have 200 generic shares but only 5 special shares I want increased auditing, how would I do that? Do I have to manually exclude the 200 so it includes the 5?
You’re definitely on the right path. For the special Monitoring Plan, when adding an item, be sure not to choose “Computer.” Instead, select the “Windows File Share” option and specify the share directly.
When adding the share, I recommend using the same naming format as your main file server plan. If you’re using the full FQDN in your primary plan, do the same here to maintain consistency across reports and search results.
For example:
If your main plan uses FILE01.DOMAIN.LOCAL, then enter the share as \\FILE01.DOMAIN.LOCAL\ShareName in the special plan.
The section you found in the screenshot is exactly where you’ll exclude any shares from the main file server plan that you intend to monitor separately in this new plan.
As for your feature request idea, we do have a dedicated section for those in the Community. You can submit suggestions directly at:
Regarding searches across monitoring plans, here’s a tip: use the “Data Source” filter in your searches. Starting with “Data Source” helps streamline search results and ensures you’re pulling data across all relevant monitoring plans tied to that source. Many reports also allow you to select multiple file server monitoring plans at once, which can make this easier.
Let me know if you have any questions—I’m happy to help.
I have both monitoring plans setup and it appears to be working. Thanks! Just to confirm, I have both set to adjust auditing automatically and it appears to be working (the special file share doesn’t change when the main share runs and vice versa) but wanted to make sure that having both set to auto is fine. Also having the other settings duplicated is okay between the two plans: traffic copmression, state in time, snapshots, etc.
