Jason, Have you tried GPO's for the filtering?
Regards, Damien -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Youngquist, Jason R. Sent: quarta-feira, 22 de setembro de 2010 11:54 To: '[email protected]' Subject: Windows event logs to filter/ignore We are sending logs from Windows servers to a centralized collector. The Windows servers are consistently sending all kinds of events to the collector. I'm seeing a bunch of Security:538 and Security:576 events. For example, one particular server is sending Security:538 events and Security:576 events several times a minute. Over a period of time that I was looking at, these two events accounted for 92% of the events being sent from the server. When I looked at the events they basically said the same thing over and over...Security:576 - "Special privileges assigned to new login, username: administrator...." And Security:538 - "User Logoff: User name: administrator...." I'd like to filter out these events before they hit the collector, but I'm afraid of filtering out too much and potentially missing a log entry that could help with an incident, while at the same time I don't want to send and store logs that aren't useful. Thoughts? Thanks. Jason Youngquist
