Symantec Security Expressions Server User Manual

SecurityExpressions Server User Guide

48

Active Directory (Active Directory Connection Monitor only)

Set the Active Directory (event log) monitoring options.

IncludeAllDomainControllers

Retrieves names of all Domain Controllers on the Domain system where the monitor resides and

monitors the event logs of all Domain Controllers. One (1) is the default setting. If

IncludeAllDomainControllers=0 you must add the Include key and identify the device to monitor.

Exclude

Comma-separated list of device names to omit from monitoring.

Include

Comma-separated list of device names to monitor.

Processing the Configuration File

When the Connection Monitor recognizes a new device on the network, it compares the device IP

address to the IP ranges defined in the configuration file, excluding the Default settings, starting

with the first range in the file and proceeding in order. If the address falls in one of the IP
ranges, that group's audit server list and distribution method determine where to connect.

If the IP address does not fall within any of the specified ranges, a group whose

IPRange=Default accesses the audit server list and distribution method.

You do not have to specify a Default IP range. However, if a Default range does not exist and the

IP address does not correspond to any of the defined ranges, the monitor does not contact the

audit server and the device remains unaudited.

Configuration File Syntax

To specify configuration data, you manually edit the dmconfig.txt file and include the required
information about the IP ranges. After editing the configuration file, you must stop and restart

the service through the Service Management Console, which is accessible through Administrative

Tools.

Tip: If you are using more than one connection monitor on the same computer, use the same

configuration file to configure them.

Be aware that if you're using the DHCP Plug-In Connection Monitor, it's Microsoft's DHCP
Server Service that you have to stop. Since this service controls other functions on the

network, stopping it might have other temporary effects on the network.

Tip: Use the # character at the beginning of all comment lines to ensure they get ignored when

the file processes.

The configuration file syntax is similar to .ini file syntax, such as:

[IP_RANGE_1]

IPRange=10.0.3.0:254

AuditServers=server1,server2