This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How to reduce footprint of Windows Service accounts

Hi there,

I was wondering whether anyone had any advice on how to tune out the volume of events received from Service Accounts?

I have followed the auditing policy as per https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Audit_Policies_and_Best_Practices_for_LEM

However, we have applications like BizTalk and Solarwinds Orion, which constantly sends authtentication logs to our LEM for Service Account activity being logged to the Windows Security log.

Obviously I could stop the audit log on those servers, but that defeats the purpose really of having LEM and will not do our PCI any good. It would also mean disabling on the DC's which I wouldn't want to do.

Any best practise for managing this noise would be greatly apprecaited.

Regards

Adam

  • Adam,  I don't have an answer, but having the same problem.  I installed the LEM agent on our Exchange server and just disabled the Vista security connector since multiple user logon or logoff events per second started appearing.   Had to do the same thing on both DC's by setting the logon/logoff audit sub-category with "no auditing".