Has anyone received alerts/events from a SIEM noting that a Logic Monitor collector tried to access an admin share but denied? I was thinking Perfmon might be part of the issue here. Initial feedback from LM is that this is not something that should not occur.
Depends on the datasource. A datasource could be written to discover the list of shares, which may include the admin share. The collection mechanism could then attempt to access something on that share for the purposes of gathering some kind of metric. I'm not aware of one out of the box that does that though. I'd start by looking through the datasources that have discovered instances on that server and see if any of the instances are the admin share. If so, and you don't want to include the admin share, you could simply write a discovery filter to exclude it from discovery (which would exclude it from collection as well).
