Filtering ACS Events
Applies To: Operations Manager 2007 R2
By default, ACS collects and stores every event recorded in the Window Security Event logs. A large number of the events can make it difficult to identify potential problems. You want to collect only the security events that meet your audit and security compliance requirements.
Best practice is to archive the data by using an ACS Archiver and then restore it to a historical repository. From this repository, you can run your filtering. This provides the ability to maintain all audit events and optimize the audit data report performance. For example, you may want to store all Successful Logon Events (540,528), but not report on them unless audited.
To filter Event IDs by using AdtAdmin
At a command prompt, change the working directory to %windir%\system32\security\AdtServer.
At the same command prompt, set the query parameters by entering AdtAdmin /setquery /query:"select * from AdtsEvent where NOT (EventID=560 OR EventID=562 OR …)", where the EventIDs listed are the audit events to be ignored in the event log.
For example, to set a filter so that only the Cross Platform security events are logged to the Windows Security Event log , set the query parameters by entering AdtAdmin /setquery /query:”select * from AdtsEvent where NOT (EventID=560 OR EventID=562 OR EventID=569 OR EventID=570 OR EventID=571 OR EventID=26401 OR EventID=4665 OR EventID=4666 OR EventID=4667 OR EventID=4624 OR EventID=4634 OR EventID=4648 OR EventID=5156 OR EventID=4656 OR EventID=4658 OR EventID=5159)”.
For additional information about how to use AdtAdmin.exe, see ACS Administration--AdtAdmin.exe (https://go.microsoft.com/fwlink/?Linkid=169306).