Filtering Windows Event Logs

It might be required to minimize Windows Audit events generated by certain LogLogic^® Universal Collector activities by using one of the following methods:

1. Removal of “Object Access/ Success” from the audit policy on Windows log sources. (For further details, reference Audit Policy Management on Windows below.)
2. Review the current Security Access Control List (SACL) settings for the Windows Event Logs namespace \\root\CIMV2, and verify that Enable Account/Successful is not checked for accounts/group to which the LogLogic^® Universal Collector is connected. If necessary, create a new policy for the LogLogic^® Universal Collector for which the Enable Account/Successful is not checked.
   Note: If necessary, inheritance of SACL must be disabled for that namespace.

   Platform	Description
   Windows 2008 R2	The audit policy in Windows is configured through local policies and/or GPO linked to domain/OU/Site. A good way to understand the resulting policy is to use ‘Resulting set of policy’ snap-in of MMC. Check the current resulting policy is set to generate results for local host only. The current resulting policy can be found under Computer Configuration > Windows Settings > Local Policies > Audit Policy.
   Windows 2008 R2 only	On Windows 2008 more granular settings are possible, named “sub-category”. Based on the solution used, you can check the precise auditing policy with: auditpol /get /category:* For more information on sub-category audit capabilities, please refer to the Microsoft documentation. http://support.microsoft.com/kb/921468 Also review the article on Windows Event Logs namespaces mentioning specifically Windows Event Logs auditing: http://msdn.microsoft.com/en-us/library/aa822575(v=vs.85).aspx