We are sending logs from Windows servers to a centralized collector. The Windows servers are consistently sending all kinds of events to the collector. I'm seeing a bunch of Security:538 and Security:576 events. For example, one particular server is sending Security:538 events and Security:576 events several times a minute. Over a period of time that I was looking at, these two events accounted for 92% of the events being sent from the server. When I looked at the events they basically said the same thing over and over...Security:576 - "Special privileges assigned to new login, username: administrator...." And Security:538 - "User Logoff: User name: administrator...."
I'd like to filter out these events before they hit the collector, but I'm afraid of filtering out too much and potentially missing a log entry that could help with an incident, while at the same time I don't want to send and store logs that aren't useful. Thoughts? Thanks. Jason Youngquist
