Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Fun with Audit Collection Services - Part 1
Published Jan 21 2019 06:41 PM 1,664 Views
Microsoft

First published on TECHNET on May 19, 2016
First blog post so I am keeping it simple.



I recently received a customer request to implement Audit Collection Services (ACS) in their environment. The requirement was to capture events on file servers so that they could report on deleted files/folders. The design and implementation was straightforward: a dedicated-standalone database, ACS Collector installed on a SCOM Management Point, and shared reporting with the SCOM (So ACS reports can be viewed in the console).

With no filters applied, ALL event data from the enabled forwarders will begin flowing into the Collector and stored in the database so the first task post-implementation was to apply a good filter. If you have searched the internet, like me, you have found that there are not many resources regarding ACS filters. I came across this filter from a post by Kevin Holman and is a great place to start.



Here is the syntax:

adtadmin /setquery /collector:"collector server" /query:"SELECT * FROM AdtsEvent WHERE NOT (((EventId=528 AND String01=’5′) OR (EventId=576 AND (String01=’SeChangeNotifyPrivilege’ OR HeaderDomain=’NT Authority’)) OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680)))"



This filter will eliminate a lot of unnecessary events. However, the customer requested we filter out events for deleted files of a certain file type (.tmp and .pst), as they had no need to report on these, which was not excluded by the above filter. I reached out to a colleague (Thanks Chris Maiden!) and he was able to tweak and extend the filter to exclude events with that file type.



Here is the syntax:

adtadmin /setquery /collector:"collector server" /query:"SELECT * FROM AdtsEvent WHERE NOT ((HeaderUser='SYSTEM' OR HeaderUser='LOCAL SERVICE' OR HeaderUser='NETWORK SERVICE') OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680) OR (EventId>=541 AND EventId<=547) OR (String02 LIKE '%.TMP') OR (String02 LIKE '%.PST'))"



The results validated that we were excluding the file types, per the customer request, and we saw a significant reduction in collected events. Unfortunately we began seeing some performance and timeout issues with reporting. Tune in to Part 2 to discover how this was resolved!



For additional information on ACS and applying filters for ACS, refer to the following articles:

http://technet.microsoft.com/en-us/library/bb309436.aspx

http://technet.microsoft.com/en-us/library/hh212908(v=sc.12).aspx










 

Version history
Last update:
‎Apr 07 2020 11:53 AM
Updated by: