I was wondering whether anyone had any advice on how to tune out the volume of events received from Service Accounts?
I have followed the auditing policy as per https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Audit_Policies_and_Best_Practices_for_LEM
However, we have applications like BizTalk and Solarwinds Orion, which constantly sends authtentication logs to our LEM for Service Account activity being logged to the Windows Security log.
Obviously I could stop the audit log on those servers, but that defeats the purpose really of having LEM and will not do our PCI any good. It would also mean disabling on the DC's which I wouldn't want to do.
Any best practise for managing this noise would be greatly apprecaited.
Adam, I don't have an answer, but having the same problem. I installed the LEM agent on our Exchange server and just disabled the Vista security connector since multiple user logon or logoff events per second started appearing. Had to do the same thing on both DC's by setting the logon/logoff audit sub-category with "no auditing".