ACS Internals - Part 1

<!--[if lt IE 9]>

<![endif]-->

Comments

  • Anonymous
    January 01, 2003
    That was for 2003 at the time of release.  I am sure there are better basic filters out now.

  • Anonymous
    January 01, 2003
    Filtering is ALWAYS done on the collector - by design.  This is critical - to keep any possible tampering with a filter on the forwarder from local administrators. So to be clear - on the forwarder - no filtering.  We send ALL events in the security log. On the collector - filtering occurs, we drop events from a queue before insertion into the database.

  • Anonymous
    January 01, 2003
    I ran the adtadmin script below: adtadmin /setquery /collector:"myservername" /query:"SELECT * FROM AdtsEvent WHERE NOT (((EventId=528 AND String01='5') OR (EventId=576 AND (String01='SeChangeNotifyPrivilege' OR HeaderDomain='NT Authority')) OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680)))" Result: Error 0x000006D9 occured: There are no more endpoints available from the endpoint mapper. What do you suppose is wrong? Nap Agonor npagonor@up.com

  • Anonymous
    June 02, 2009
    Nap, Your ACS Collector is probably not configured correctly.  Confirm the OperationsManagerAC database is created and that your Collector is inserting data into it.  If not, rerun the ACS Setup. -teej

  • Anonymous
    November 16, 2009
    Thanks for this post. I have a question related to the ACS Filtering. When you apply a Filtering rule for ACS, where the filtering rule getting applied. At the Forwarder Level or Collector Level. Implementation of Rule


Auditing Agents (Forwarders) will get the data and at the collection server level, it will discard the data according to the filtering rule. OR As soon as you apply a Filtering rule, agents (Forwarders) will get the rule and will send the data to the server according this rule... Can you please tell me how does that work?

  • Anonymous
    November 17, 2009
    Thanks for your reply. That clarifies my question. So Filteration is happening at the Collector level. Will this create any N/w Bandwidth issue if you have more than 250+ DCs, with one collector configured.

  • Anonymous
    February 17, 2010
    The comment has been removed

  • Anonymous
    April 02, 2010
    Secure Vantage Audit Collection Archiver Export (OperationsManagerAC) is failing again and again - what cause it ?

  • Anonymous
    May 14, 2010
    Hi Kevin, Does your basic filter apply for Windows Server 2008 R2 also?  Or, is this only for Server 2003? Thanks, Tom

  • Anonymous
    January 19, 2012
    Hi Kevin, at a customer of mine there was a server with a misconfiguration, so the server send a lot of acs spam to the acs collector. no the problem is, there are about 160GB Trahs in the ACS Database... do you know, is there any way to clean all events for a specific computer oder eventid? thanks for your help Adrian

  • Anonymous
    January 17, 2014
    Here are some more links from my private collections. This links are very usefull to administrate, configure

  • Anonymous
    October 20, 2015
    Waiting for your speech on 28th about SCOM MP Authoring. Please help me below.

    Here I have installed ACS 2012 on QA environment MG. but challenging part is to filter all the ACS alerts and enable the event ID's based on the customer requirement. I knew that Adtadmin is command to filter the noise. Any command to filter all the ACS events and enable one by one. Please let me know. Thanks a lot
    AdtAdmin.exe /SetQuery [/Collector:CollectorName] /Query:QuerySyntax

  • Anonymous
    October 20, 2015
    Sure - our default filter is a WHERE NOT. Just use a WHERE. Example:

    SELECT * FROM AdtsEvent WHERE (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680) I have not tested it, but I don't see why that wont work.

  • Anonymous
    February 24, 2017
    Thanks for this, i have modified the filter a bit as it wasn't recognizing the command in SCOM 2012 R2, the / was replaced with - e.g. /setquery vs -setqueryadtadmin.exe -setquery -collector:"servername" -query:"SELECT * FROM AdtsEvent WHERE NOT (((EventId=528 AND String01='5') OR (EventId=576 AND (String01='SeChangeNotifyPrivilege' OR HeaderDomain='NT Authority')) OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680)))"

  • Anonymous
    February 28, 2017
    Hi Kevin,We faced with some issues related to nightly maintenance tasks.Partitions are being incorrectly closed and we receive the next event every night:Event ID: 4620 Database partition closed: Guid: f9fd4e38_59ae_4f7d_8fef_f24e4dd7ff90 Status: 0x00000005New partition is created properly but the previous partition tables are not indexed and as a result we have a very poor performance while running reports despite the fact that events filtering query is configured properly and database size is quite small.Also we regularly receive the next events even if there are no any network issues between ACS and SQL server: Event ID: 4618 Error occured on database connection: Status: 0x00040000 ODBC Error: 10054 ODBC State: 01000 Message: [Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionWrite (send()). Database: SqlWriter Connection: dtPrincipal Statement: spInsertPrincipal Event ID: 4618 Error occured on database connection: Status: 0x0021C001 ODBC Error: 11 ODBC State: 08S01 Message: [Microsoft][ODBC SQL Server Driver][DBNETLIB]General network error. Check your network documentation. Database: SqlWriter Connection: dtPrincipal Statement: spInsertPrincipalHave you ever faced with such kind of issues?Hope for your help and thank you a lot in advance!

  • Anonymous
    May 08, 2017
    The comment has been removed

  • Anonymous
    October 17, 2017
    Hello Kevin,Another great source of information you got there, thank you! We are trying to set the Cross Platform Audit forward, and for some reason it doesn't work.You've mentioned that ALL the audit forwarders should be listed in AcsConfig.XML , is this valid for the ACS Cross platform forwarding for Linux/unix? Thanks.

  • Anonymous
    February 13, 2018
    Hi Kevin,How do I know when the DbDeletePartition sql file is triggered by the AdtServer? Is there a log from the AdtServer where it outputs the sqls that have been run?We had 2 occurrences in the past where the drive got full due to the fact that the partitions where not deleted and I had to manually run the SQL queries.Cosmin