Filter AD Logga events
You can filter out desired events in order to focus on specific and relevant entries. Filtering means that filtered events will not be recorded.
This allows you to significantly improve your overview and reduce data volume. A typical example are frequent attribute changes of the Exchange server.
You are only able to configure filters if at least one AD scan is stored in the database.
Understand the filter principles for AD Logga
The AD Logga filter is considered a blacklist filter. In this case, blacklist means: The AD Logga records all possible events. You can determine which results are excluded.
By default the filter is set to the object classes "Service-Connection-Point" and "Print-Queue".
The filter criteria work cumulatively. An event is excluded if criteria 1, or criteria 2, or criteria 3 is fulfilled, or multiple criteria simultaneously.
The filter criteria do not correlate to each other. The events are evaluated by the AD Logga consecutively based upon the entered criteria. If one of the criteria is fulfilled, the AD Logga immediately excludes the result independent of whether any other criteria have been evaluated.
- If User A is configured as a filter, then all changes made by him will be excluded, even if the object classes or attributes that he made changes to are not configured as a filter. Changes that affect User A are still included.
- If object class X is configured as a filter, then all events, that include this object class explicitly will be excluded, even if the event author or changed attribute is not configured as a filter. This also applies to attribute filters.
Not all security log entries include affected object classes or attributes. For example changes to group memberships will not be excluded, even if the object classes "User" and "Group" and the attribute "Member" are configured as filters.
Configure the event filters