Filtering out what gets sent to the ACS Database

I have had more then a few of my (mostly HED) customers ask whether or not it is possible to limit the type of security events that land into the ACS DB.  For anyone has ever used any kind of system whether homegrown or otherwise to collect security events from a very busy domain controller with auditing flipped on knows that there is a TON of data there which can lead to ACS DB bloat.

If changing the security audit policy is not an option (which often times it is not in a large environment), you can in fact tell the ACS Collector which security events to put in the ACS DB and which ones to discard which could save you ENORMOUS amounts of space.  Basically you use the AdtAdmin.exe /SetQuery command on your ACS Collector as explained here.  The sample they use: 

 

adtadmin /setquery /collector:"Collector Name" /query:"SELECT * FROM AdtsEvent WHERE NOT ((HeaderUser='SYSTEM' OR HeaderUser='LOCAL SERVICE' OR HeaderUser='NETWORK SERVICE') OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680 OR (EventId>=541 AND EventId<=547))"

 

...is a good one as it filters out much of the 'uninteresting' security events generated about the Local System or Network Service, and other usually non-important stuff that can be generated depending on the audit policy.  What you are left with is the more interesting data such as actual user security events that are taking place...  This is very handy - especially for those environments that have domains with upwards of 50,000+ active users running around on a daily basis!

Technorati Tags: ACS, Operations Manager, MOM, OpsMgr