How to Limit the Size of the ACS Database by filtering the Security Events

  • Article

How to Limit the Size of the ACS Database by filtering the Security Events

After adding the following ACS filter, the new incoming events cannot be reflected in ACS reports.

adtadmin /setquery /query:"SELECT * FROM AdtsEvent WHERE (HeaderUser='SYSTEM' OR HeaderUser='LOCAL SERVICE' OR HeaderUser='NETWORK SERVICE') AND (EventID=671 OR EventID=675 OR EventID=681 OR EventID=529 OR EventID=531 OR EventID=532 OR EventID=535 OR EventID=536 OR EventID=539 OR EventID=517 OR EventID=624 OR EventID=627 OR EventID=628 OR EventID=630 OR (EventID>=631 AND EventID<=639) OR (EventID>=641 AND EventID<=668) OR EventID=684 OR EventID=685)"

clip_image002

Problem Description
==================
ACS(Audit Collection Services) Database can quickly fill up due to unwanted security events,
Resolution

Solution
======
The Solution is to avoid unwanted events by uing AdtAdmin along with WQL Query as listed below
An ACS collector can use Windows Management Instrumentation (WMI) Query Language (WQL) queries as filters to limit the events that are stored in the ACSdatabase.
The /SetQuery parameter implements the filter before events are saved to the ACS database.
For more information about WQL and WQL queries,see Retrieving Managed Resources Using WMI Query Language at https://go.microsoft.com/fwlink/?LinkId=74151 and Querying with WQL at
https://go.microsoft.com/fwlink/?LinkId=74152.
AdtAdmin.exe /SetQuery [/Collector:CollectorName] /Query:QuerySyntax

Example
This example uses the /SetQuery parameter to define a WQL query that filters out specified events. When applied, this query filters out events generated by System, Local Service, and Network Service services, and it also filters events that have specified event ID numbers.
adtadmin /setquery /collector:"Collector Name" /query:"SELECT * FROM AdtsEvent WHERE NOT ((HeaderUser='SYSTEM' OR HeaderUser='LOCAL SERVICE' OR HeaderUser='NETWORK SERVICE') OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680) OR (EventId>=541 AND EventId<=547))"