As a follow up to my previous post, I want to share my findings on the effect of configuring filter on the ACS Collector side in order to collect and store only security events which are relevant for your reporting purposes.
To limit the list of events that are stored in the ACS database to only specific subset of events which are required for reporting purposes, AdtAdmin.exe /SetQuery command line utility was used.
The total number of events collected on a daily basis has been drastically reduced by setting up ACS Collector filter, as can be seen in the diagram provided below.
This diagram shows the total number of events stored within the Audit Collections Services database on a daily basis. On the day 12, ACS Collector filter has been set-up in order to filter-out all unnecessary security events from collection. A picture is worth a thousand words…