When we enable ACS on the in SCOM environment , after a couple of days we can see what all is being collected.
For us we were seeing a lot of events being collected and most of them were not useful for us to monitor:
the final NOT Query filter i applied was:
AdtAdmin /setquery /query:"SELECT * FROM AdtsEvent WHERE NOT (EventId=4776 OR EventId=4689 OR EventId=4688 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4696 OR EventId=5159 OR EventId=5152 OR EventId=5157 OR PRIMARYUSER LIKE '%SVC%' OR PRIMARYUSER LIKE '%$%' OR TARGETUSER LIKE '%$%')"
This reduced a lot of Noise in our environment.
In order to enable this filter what we need to do is .
Login to the ACS collector:
Open command prompt
Browse to the following directory:
C:\Windows\System32\Security\AdtServer>
Then Run the Query that i mentioned above.
In the query i used PrimaryUser and TargetUser as filter
PrimaryUser = Primary User Name in Header of Event
TargetUser = Target Name in details of Event
This is how an event form Windows Security log is saved in the the tables of ACS Database, you may need to know how the Event log entries are mapped to entries in the ACS database.
For us I wanted to avoid events generated by service accounts and computer account so i used
PRIMARYUSER LIKE '%SVC%' OR PRIMARYUSER LIKE '%$%' OR TARGETUSER LIKE '%$%'
Depending on what you need to achieve you can modify the query as you like:
In case if you need to look for what is being saved in the database , following Query may be helpful.
this has to be ran against the ACS database in SQL
select Eventid,PrimaryUser as Who_Changed,TargetUser as Added_To,CreationTime as [When],String01 as who
from adtserver.dvall5
where CreationTime between '2013-02-01' and '2013-02-10'
Hope this helps.
For us we were seeing a lot of events being collected and most of them were not useful for us to monitor:
the final NOT Query filter i applied was:
AdtAdmin /setquery /query:"SELECT * FROM AdtsEvent WHERE NOT (EventId=4776 OR EventId=4689 OR EventId=4688 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4696 OR EventId=5159 OR EventId=5152 OR EventId=5157 OR PRIMARYUSER LIKE '%SVC%' OR PRIMARYUSER LIKE '%$%' OR TARGETUSER LIKE '%$%')"
This reduced a lot of Noise in our environment.
In order to enable this filter what we need to do is .
Login to the ACS collector:
Open command prompt
Browse to the following directory:
C:\Windows\System32\Security\AdtServer>
Then Run the Query that i mentioned above.
In the query i used PrimaryUser and TargetUser as filter
PrimaryUser = Primary User Name in Header of Event
TargetUser = Target Name in details of Event
This is how an event form Windows Security log is saved in the the tables of ACS Database, you may need to know how the Event log entries are mapped to entries in the ACS database.
For us I wanted to avoid events generated by service accounts and computer account so i used
PRIMARYUSER LIKE '%SVC%' OR PRIMARYUSER LIKE '%$%' OR TARGETUSER LIKE '%$%'
Depending on what you need to achieve you can modify the query as you like:
In case if you need to look for what is being saved in the database , following Query may be helpful.
this has to be ran against the ACS database in SQL
select Eventid,PrimaryUser as Who_Changed,TargetUser as Added_To,CreationTime as [When],String01 as who
from adtserver.dvall5
where CreationTime between '2013-02-01' and '2013-02-10'
Hope this helps.
Comments
Post a Comment