Hi again!

Basically ACS is fairly easy to set up, however after getting it to run, it`s not over. It is very important to check for the status of the event collection to prevent performance degradation. By architecture, if the collector queue (default at 90%) gets full, it will begin to disconnect forwarders in order to give the collector time to free up the queue. You will not loose data, because forwarders will store it until the queue is under the threshold again so that it can accept further data from the forwarders. The only issue would be if there are more event IDs then the log is configured to store, these will get overwritten.

So, always check for following IDs, especially after adding new forwarders:

Event
id 4615 Source AdtServer

Database queue threshold exceeded. One or more clients might be disconnected. New connections will not be allowed until queue length decreases below the threshold. Disconnected clients will automatically attempt to re-connect.

Current threshold:                               90% full

Current queue status:          96% full.

 

Event id 4634 Source AdtServer

An Audit Forwarder disconnected.

Name:    Forwarder_Name

DbId:      5

Value:    1

Reason: 0x00000015

 

Event id 4628 Source AdtServer

An Audit Forwarder connected.

Name:    Forwarder_Name

Address:               

Port:       19841

DbId:      5

Value:    1

A very clear way to see what event IDs are being gathered and in which quantities is the one from Audit Reports-> Planning-Event_Counts

After detecting which of the events you do not need, you can set a noise filter query for these IDs ON THE COLLECTOR:

For this you need the adtadmin Tool which can be found under \windows\system32\Security\adtadmin

Then replace the Ids which the one you detected in the following query running in an Administrator CMD:

 

AdtAdmin /setquery -collector:<collector server Name > /query:"select * FROM AdtsEvent WHERE NOT (EventId=<NoiseEventID> OR EventId=<NoiseEventID> OR EventId=<NoiseEventID>)"

 

This will exclude then the NoiseEvents for the specified ID in the query.

 

Sometimes, you cannot add the filter because of a permission problem, and then you get the error:

Access Denied.

 

The only problem is, it is not the user you are logged on with, it`s actually the NETWORK SERVICE! If you see in taskmgr what user runs the AdtAdmin.exe process.. well surprise, it`s the nw service:) To overcome the access denied, you need to set under the following registry hive HKLM\SYSTEM\CurrentControlSet\services\AdtServer\Parameters

"SET VALUE" permission for the network service.

 

Now the WQL query for the filter will run fine!

You can then check the active query under DBQueueQuery (registry)

or run:

Adtadmin /GetQuery