Basically ACS is fairly easy to set up, however after getting it to run, it`s not over. It is very important to check for the status of the event collection to prevent performance degradation. By architecture, if the collector queue (default at 90%) gets full, it will begin to disconnect forwarders in order to give the collector time to free up the queue. You will not loose data, because forwarders will store it until the queue is under the threshold again so that it can accept further data from the forwarders. The only issue would be if there are more event IDs then the log is configured to store, these will get overwritten.
So, always check for following IDs, especially after adding new forwarders:
Eventid 4615 Source AdtServer
Database queue threshold exceeded. One or more clients might be disconnected. New connections will not be allowed until queue length decreases below the threshold. Disconnected clients will automatically attempt to re-connect.
Current threshold: 90% full
Current queue status: 96% full.
Event id 4634 Source AdtServer
An Audit Forwarder disconnected.
Event id 4628 Source AdtServer
An Audit Forwarder connected.
A very clear way to see what event IDs are being gathered and in which quantities is the one from Audit Reports-> Planning-Event_Counts
After detecting which of the events you do not need, you can set a noise filter query for these IDs ON THE COLLECTOR:
For this you need the adtadmin Tool which can be found under \windows\system32\Security\adtadmin
Then replace the Ids which the one you detected in the following query running in an Administrator CMD:
AdtAdmin /setquery -collector:<collector server Name > /query:"select * FROM AdtsEvent WHERE NOT (EventId=<NoiseEventID> OR EventId=<NoiseEventID> OR EventId=<NoiseEventID>)"
This will exclude then the NoiseEvents for the specified ID in the query.
Sometimes, you cannot add the filter because of a permission problem, and then you get the error:
The only problem is, it is not the user you are logged on with, it`s actually the NETWORK SERVICE! If you see in taskmgr what user runs the AdtAdmin.exe process.. well surprise, it`s the nw service:) To overcome the access denied, you need to set under the following registry hive HKLM\SYSTEM\CurrentControlSet\services\AdtServer\Parameters
"SET VALUE" permission for the network service.
Now the WQL query for the filter will run fine!
You can then check the active query under DBQueueQuery (registry)