Hi there,
I was wondering whether anyone had any advice on how to tune out the volume of events received from Service Accounts?
I have followed the auditing policy as per https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Audit_Policies_and_Best_Practices_for_LEM
However, we have applications like BizTalk and Solarwinds Orion, which constantly sends authtentication logs to our LEM for Service Account activity being logged to the Windows Security log.
Obviously I could stop the audit log on those servers, but that defeats the purpose really of having LEM and will not do our PCI any good. It would also mean disabling on the DC's which I wouldn't want to do.
Any best practise for managing this noise would be greatly apprecaited.
Regards
Adam