• Article

How to Filter ACS Events for UNIX and Linux Computers

 

Updated: May 13, 2016

Applies To: System Center 2012 R2 Operations Manager, System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager

By default, ACS collects and stores every event recorded in the Windows Security Event logs. A large number of the events can make it difficult to identify potential problems. You want to collect only the security events that meet your audit and security compliance requirements.

Best practice is to archive the data by using an ACS Archiver and then restore it to a historical repository. From this repository, you can run your filtering. The following procedure provides the ability to maintain all audit events and optimize the audit data report performance. For example, you may want to store all Successful Logon Events (540,528), but not report on them unless audited. 

To filter Event IDs by using AdtAdmin

  1. At a command prompt, change the working directory to %windir%\system32\security\AdtServer.

  2. At the same command prompt, set the query parameters by entering AdtAdmin /setquery /query:"select * from AdtsEvent where NOT (EventID=560 OR EventID=562 OR …)", where the EventIDs listed are the audit events to be ignored in the event log.

    For example, to set a filter so that only the UNIX and Linux security events are logged to the Windows Security Event log , set the query parameters by entering AdtAdmin /setquery /query:”select * from AdtsEvent where NOT (EventID=560 OR EventID=562 OR EventID=569 OR EventID=570 OR EventID=571 OR EventID=26401 OR EventID=4665 OR EventID=4666 OR EventID=4667 OR EventID=4624 OR EventID=4634 OR EventID=4648 OR EventID=5156 OR EventID=4656 OR EventID=4658 OR EventID=5159)”.

For additional information about how to use AdtAdmin.exe, see Audit Collection Services Administration (AdtAdmin.exe).