Create Inclusions and Exclusions for FIM
A monitored item that is a directory has inclusions and exclusions that are applied to the files within it.
A monitored item that is a file cannot have inclusions and exclusions. Individual files cannot have filters applied to them.
When an include filter is applied to a directory, the filter is applied to the parent directory and all the child directories and files within those directories. For example, if an include filter is applied to the Documents directory to monitor document files, FIM monitors all the files in the Document directory and the subdirectories whether those files are document files or files of other types, as long as they match an include filter and don’t match an exclude filter.
If a subdirectory of the Document directory has an exclude filter applied to it, that directory and its child directories are ignored.
In the graphic below, all the directories highlighted in green are affected by the included filter; they are monitored. When the LogRhythm Agent encounters an exclude filter for a subdirectory (represented by the red highlight), the files in the subdirectory and its child directories are ignored.
Syntax
- Wildcard Required
A wildcard is always required and can appear multiple times in Inclusions and Exclusions lists. The only wildcard allowed in a filter is the asterisk (*), as shown in these examples:
- *.exe
- *access*.log
- */logs/
- data.*
- *\$NtUninstallKB*$\
- C:\Windows\$NtUninstall*\
- Lists
The list items must be separated with either commas or semicolons and cannot contain spaces.
For example:
- *.txt,access.*,$NtUninstall*$,*access*.log,*.*
- *.txt,access.*;$NtUninstall*$;*access*.log,*.*
Evaluating Filters
Each file and directory and fully qualified path is evaluated against the include and exclude filters independently. When the directory monitored item has a Max Depth greater than 0, each subdirectory level is evaluated before traveling deeper into the directory structure. Additionally, the LogRhythm Agent appends a backslash (\) to all Windows directories or a forward slash (/) to all UNIX directories before applying the filters.
For example, if you want to exclude all subdirectories ending with debug under the root monitored directory C:\Temp, the exclude filter to use is:
C:\Temp\*debug\
(Note the trailing backslash.)
rather than
C:\Temp\*debug
Filters are applied to the fully qualified path, not just the right-most element of the path.
Filter Precedence
- If only an include filter is specified, the results include only the files and directories matching the include filter.
- If only an exclude filter is specified, the results include only the files and directories not matching the exclude filter.
- If both include and exclude filters are specified, files and directories that match the exclude filter are excluded regardless of whether they match the include filter.
- If a directory matches an include filter, then all files directly within that directory are monitored, regardless of whether they also match the include filter. If those files then match an exclude filter, they are excluded.
- If a file matches an include filter, but its directory does not match the filter, the file is monitored, unless the file also matches an exclude filter.
- If a directory matches an exclude filter, then that directory and all its files and subdirectories are excluded.
Example 1
You have the following directory structure and Max Depth = 1:
Results for stated filters are:
| Filter | Result |
|---|---|
Exclusion C:\DirA\item* or *\item* | Included: C:\DirA\DirB C:\DirA\DirB\fileA.ini C:\DirA\file1.dat Excluded: C:\DirA\itemA.txt C:\DirA\itemC C:\DirA\itemC\odbc.dll C:\DirA\itemD\vacation.bmp |
Inclusion: C:\DirA\*.dat or *\DirA\*dat or *.dat | Included: C:\DirA\file1.dat Excluded: C:\DirA\DirB C:\DirA\DirB\fileA.ini C:\DirA\itemA.txt C:\DirA\itemC C:\DirA\itemC\odbc.dll C:\DirA\itemD C:\DirA\itemD\vacation.bmp |
Inclusion: *\item*\
| Included: C:\DirA\itemC C:\DirA\itemC\odbc.dll C:\DirA\itemD C:\DirA\itemD\vacation.bmp Excluded: C:\DirA\file1.dat C:\DirA\DirB C:\DirA\DirB\fileA.ini C:\DirA\itemA.txt |
Example 2
- Monitored directory is C:\temp, monitor flags are MRP (MODIFY, READ, PERMISSIONS)
- Include filter of *.exe
- Depth = 3
- Changes to any file matching *.exe are recorded. Files are monitored for whatever the root monitored item is configured for. Files matching the include filter are monitored based on the monitored items configuration flags (MODIFY, READ, PERMISSIONS).
- File match: C:\temp\apps\notepad.exe – will be monitored for MRP.
Example 3
- Monitored directory is C:\temp, monitor flags are MRP (MODIFY, READ, PERMISSIONS).
- Include filter of *.exe\
- Depth = 3
- If any directory matches *.exe\ - for example, C:\temp\mydir.exe - then all files and directories immediately within it are monitored for MRP, even if they do not match the filter.
- File match: C:\temp\mydir.exe\notepad.exe – will be monitored for MRP.
- File match: C:\temp\mydir.exe\data.log – will be monitored for MRP.
- File match: C:\temp\mydir.exe\notes.txt– will be monitored for MRP.
Example 4
- Monitored directory is C:\temp, monitor flags are MRP (MODIFY, READ, PERMISSIONS).
- Exclude filter of *.log
- Depth = 3
- Changes to any file not matching *.log are recorded.
Example 5
- Monitored directory is C:\temp, monitor flags are MRP (MODIFY, READ, PERMISSIONS).
- Include filter of *.exe.
- Exclude filter of *debug*.
- Depth = 3.
- Changes to any file matching *.exe and not matching *debug* are recorded. If the file is C:\temp\foo.exe, it is included. If the file is C:\debugdir\notepad.exe, then it is excluded, because the directory
C:\debugdir and all its files and subdirectories are excluded. Any subdirectory matching *.exe is included in monitoring and all files and subdirectories directly within it are monitored unless they match the *debug* exclude filter.