ACS Reports - Missing EventID 4728,4729,4737
Hi All My ACS reports seem to be missing events for AD Security Group related changes. The noise filter configured is set to filter by category however Category 7 Account Management where the EventID's above fall under should not be filtered out. AdtAdmin.exe -setquery -query:"Select * from AdtsEvent WHERE NOT ((Category = 1 OR Category = 3 OR Category = 4 OR Category = 5) OR (((Category = 2 or Category = 9) AND (Type = 8 OR ((HeaderUser like '%$%') OR (HeaderSid = 'S-1-5-18') OR (HeaderSid = 'S-1-5-19') OR (HeaderSid = 'S-1-5-20'))) ) ))" I have confirmed that other data is present including User Account change events and that the ADT Collector and Forwarders are functioning fine based on the logs. Can anyone please help me by providing me some guidance on how I can troubleshoot this problem? It is imperative that my customer is able to view and audit changes to Global AD Security Groups. Many thanks!
April 18th, 2012 10:59pm
Hi, Do you see any of those events generated on the Domain Controllers Security eventlog? The audit on this Category/SubCategory might be not configured..Regards, Mazen Ahmed
May 3rd, 2012 8:33am