Hi Dears,
i have noticed that ObjectAudit related logs are too many of them in my LEM server. How i can bring it down to reasonable numbers by only selecting important ones from the servers/workstations?
Troy
It is best turn off at the source via group policy. See guidelines in the KB below
SolarWinds Knowledge Base :: Audit Policy and Best Practice
Hi mate,
Thanks for the link and I understood how it is coming. But recommendation is telling that it should be fixed via GPO at domain level. But would like to understand any possibilities to configure it on LEM agent side?
Thanks, Troy
The Agent reads everything that goes into the logs that it is configured to read. There is no option to drop events at the Agent level, so if you want to avoid getting an event, you need to get it out of the logs.
Yeah, there's no agent-side filtering, and the only manager-side filtering is not very granular (i.e. you can turn off ALL ObjectAudits from being sent to your console/database/correlation rules, but not only certain ones).
There is a related feature request (it talks about Windows Filtering Platform events, but could be applied to these as well):
hi Troy,
You *may* be able to prevent all ObjectAudit events from being stored in the database using the instructions available below
SolarWinds Knowledge Base :: Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy
Simply using ObjectAudit instead of Windows Security in the KB instructions
This does not prevent agents from processing the events. It will help you prevent the storage of these events. So, it is still unnecessary cycles on the agents and LEM manager. So, long term plan should still be to turn off logging at source
