Exclude and Include Patterns

As part of the default options for Directory Monitor, you have the ability to include and exclude files and directories from being returned in the event results using standard wildcard patterns. Exclusions take precedence over inclusions. If the file matches the exclusion pattern it will not appear in the event list even if it does match a pattern in the inclusion list.

A wild card is normally represented by a asterisk character (*). This denotes that any characters can replace it in that position. Each line represents an inclusion/exclusion and you can use as many patterns as you need on either side. You can also use as many wildcard characters (*) as you want per pattern to allow flexible matching against the changes being detected.

From version 2.9.9.10, user names and process names are also included in the filters if they are prefixed with a question mark (?). The same filtering rules apply with wild cards, the question mark (?) prefix indicates that the filter needs to be applied to user names and process names that are detected and not file names.

Renames

From version 2.10.5.0, only excludes will apply to the old file name. Previous versions would apply filters on both the old and new file name making it difficult to exclude predictably when you need to see events for excluded old file names with included new file names.

Be aware of this when using filters with renames. Excluding is strict and will apply to both the old and new file name.

Screenshot

You can edit the include and exclude filters on the directory options screen:



Examples

Here are some examples:

Example 1: Extensions
*.txt - Will exclude/include all files with the TXT extension. This will only match files that ends with TXT which is a common mistake, the match end at TXT and will not extend past the extension.

C:\temp\newfile.txt = match
C:\Backup\anotherfile.txt = match
C:\temp\script.bat = no match
C:\temp\doubleextension.txt.tmp = no match (to match this as well use *.txt*)


Example 2: Directories and subdirectories
C:\MonitoredDirectory\Testing\* - Will exclude/include all file and directories under the 'Testing' folder.

C:\MonitoredDirectory\doc123.txt = no match
C:\MonitoredDirectory\Testing\anything.fle = match
C:\MonitoredDirectory\Testing\SubDir\deleteme.tmp = match


Example 3: File in directories
C:\Folder\Sub\*.* - Will exclude/include all files with any extension in the directory 'Sub' which is a subdirectory of 'Folder'.

C:\Folder\new image file.bmp = no match
C:\Folder\Sub\my image.jpg = match
C:\Folder\Sub\New Folder\document.doc = no match (only files in Sub, not subdirectories of it, see example 2)


Example 4: Multiple wildcards
*\IgnoreDir\*.* - Will exclude/include all files inside any directory called 'IgnoreDir'.

C:\Temp\ = no match
C:\Temp\IgnoreDir\New Folder\ = no match (only file are matched when using *.*, to match everything just use *)
C:\Temp\IgnoreDir\New Folder\somefile.tmp = match

C:\*\garbage.* - Will exclude/include any files on the C: called 'garbage' with any number of extensions.


Example 5: User names and process names
?*Jimmy* - Will exclude/include all changes made by a user called 'Jimmy'.

Machine-Name\James = no match
Jimmy@mynetwork.com match
Domain-Name\Jimmy = match

The same rules apply to process names.
?*scanner*.exe - Will exclude/include all changes made by process names starting with 'scanner'.

C:\Program Files\Anti-Virus\antiv.exe = no match
C:\Program Files\Anti-Virus\scanner.exe match
C:\Program Files\Anti-Virus\scannerV5.exe match


NB: Always test your exclusions and inclusions to ensure that you are not inadvertently filtering in (or out) files that you expect to want see in the monitoring logs. Excluded files are also excluded from any further plugin processing such as emails and application execution.

Feedback and Knowledge Base