List of events included in Audit Collection Services reports

The following table contains list of events that are included in Audit Collection Services reports that are shipped with System Center Operations Manager 2007 R2:

Access Violation – Account Locked report: 539, 534, 4740, 6279
Access Violation – Unsuccessful Logon Attempts report: 529, 530, 531, 532, 533, 534, 535, 536, 537, 539, 4625
Account Management – Domain and Built-in Administrators Changes report: 632, 633, 636, 637
Account Management – Passwords Change Attempts by Non-owner report: 627, 628, 4723, 4724
Account Management – User Accounts Created report: 624, 4720
Account Management – User Accounts Deleted report: 630, 4726
Usage – Object Access report: 560, 567, 4656, 4663
Usage – Privileged logon report: 575, 4672
Usage – Sensitive Security Groups Changes report: 631, 632, 633, 634, 635, 636, 637, 638, 639, 641, 658, 659, 660, 661, 662, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758
Usage – User Logon report: 528, 540, 4624
System Integrity – Audit Log Cleared report: 517, 1102
System Integrity – Audit Failure report: 516, 4612
Policy – Privilege Added Or Removed report: 609, 622, 4704, 4705
Policy – Object Permissions Changed report: 4670
Policy – Audit Policy Changed report: 612, 4719
Policy – Account Policy Changed report: 643, 4739
Planning – Logon Counts of Privileged Users report: 576, 4672

This information might be helpful to anyone interested in setting up filter on the ACS Collector side in order to limit the list of events that are stored in the ACS database. By default, all security events from ACS forwarders are stored in the ACS database. In my test environment, approximately 57% events stored in the ACS database are not included in any of above-mentioned ACS reports. This means that a lot of data in the ACS database is irrelevant for reporting purposes and that ACS database size can be reduced significantly by setting up ACS Collector filter.

To set up ACS Collector filter and to limit the list of events that are stored in the ACS database, AdtAdmin.exe /SetQuery command line utility must be used. It uses Windows Management Instrumentation (WMI) Query Language (WQL) to filter events before they hit the ACS database.

For more information on how to use AdtAdmin.exe command line utility, you may refer to the following Microsoft TechNet article:
AdtAdmin.exe /SetQueryhttp://technet.microsoft.com/en-us/library/bb381343.aspx

Advertisements
List of events included in Audit Collection Services reports

One thought on “List of events included in Audit Collection Services reports

  1. Ivan says:

    U jutro rano
    U smiraj mraka
    U kombi tamić
    Nas pet luđaka
    Ulazimo sneni

    Al jebe se meni.
    Jer graditi se mora
    Iznad šuma iznad gora
    Graditi se mora
    Ah, graditi se mora

    Za uhom mi blajštift
    U rukama žlica
    Na dasci iscrtana
    Nove kuće skica

    Drugovi moji
    Jarani bez škole
    Cijeloga dana
    Zidati vole

    Jebe se njima
    Za korijen treći
    Dok je cement
    Suh u vreći

    Uz lopatu stoje
    Dok miješalica brunda
    Unutra se mixa
    Nove kuće bunda

    Uz pijanu pjesmu
    Kraj blatnog kotača
    Malo-malo stanu
    Jer gazda dobro plaća

    Nitko ne ludi
    Za zidom što se budi
    Što raste u krivo
    Gazda smanji pivo!

    Cijeloga dana
    Bauštelska klika
    Zamišlja kuću
    I odraz njena lika
    Al jebe se njima
    Jer graditi se mora
    Pokraj ceste pokraj puta
    Pijan sam ko svinja
    Izrigat ću ti se u miješalicu
    I razbiti njušku jebo te konjak da te jebo
    Ljuti…
    u kurac i zidarija i bauštela i 80 kuna dnevno
    a nahrmbam se ko konj posrani
    ti sunce jebem da ti jebem

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s