Export (0) Print
Expand All

How to Filter ACS Events for UNIX and Linux Computers

Updated: November 1, 2013

Applies To: System Center 2012 - Operations Manager, System Center 2012 R2 Operations Manager, System Center 2012 SP1 - Operations Manager

By default, ACS collects and stores every event recorded in the Windows Security Event logs. A large number of the events can make it difficult to identify potential problems. You want to collect only the security events that meet your audit and security compliance requirements.

Best practice is to archive the data by using an ACS Archiver and then restore it to a historical repository. From this repository, you can run your filtering. The following procedure provides the ability to maintain all audit events and optimize the audit data report performance. For example, you may want to store all Successful Logon Events (540,528), but not report on them unless audited. 

To filter Event IDs by using AdtAdmin

  1. At a command prompt, change the working directory to %windir%\system32\security\AdtServer.

  2. At the same command prompt, set the query parameters by entering AdtAdmin /setquery /query:"select * from AdtsEvent where NOT (EventID=560 OR EventID=562 OR …)", where the EventIDs listed are the audit events to be ignored in the event log.

    For example, to set a filter so that only the UNIX and Linux security events are logged to the Windows Security Event log , set the query parameters by entering AdtAdmin /setquery /query:”select * from AdtsEvent where NOT (EventID=560 OR EventID=562 OR EventID=569 OR EventID=570 OR EventID=571 OR EventID=26401 OR EventID=4665 OR EventID=4666 OR EventID=4667 OR EventID=4624 OR EventID=4634 OR EventID=4648 OR EventID=5156 OR EventID=4656 OR EventID=4658 OR EventID=5159)”.

For additional information about how to use AdtAdmin.exe, see Audit Collection Services Administration (AdtAdmin.exe).

See Also

For additional resources, see Information and Support for System Center 2012.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012. For instructions and examples, see Search the System Center 2012 Documentation Library.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft