Documentation forAccess Rights Manager

Filter AD Logga events

You can filter undesired events to focus on specific and relevant entries. All filtered events are not recorded.

Filtering evens allows you to improve your overview and reduce data volume. For example, you can filter frequent attribute changes in the Microsoft Exchange server.

You can configure filters if at least one AD scan is stored in the database.

AD Logga filtering principles

The AD Logga filter is considered a blacklist filter. This means that AD Logga records all possible events. You can determine which results are excluded. By default, the filter is set to the Service-Connection-Point and Print-Queue object classes.

The filter criteria are cumulative. An event is excluded if criteria 1, criteria 2, or criteria 3 is fulfilled, or multiple criteria simultaneously.

The filter criteria do not correlate to each other. The events are evaluated by the AD Logga based upon the entered criteria. If one criteria is fulfilled, the AD Logga excludes the result independent of whether any other criteria were evaluated.

For example, If User A is configured as a filter, all changes made by the user are excluded, even if the object classes or attributes that the user made changes to are not configured as a filter. Changes that affect User A are still included.

If object class X is configured a filter, all events that include this object class explicitly will be excluded, even if the event author or changed attribute is not configured as a filter. This rule also applies to attribute filters.

Not all security log entries include affected object classes or attributes. For example, changes to group memberships will not be excluded, even if the object classes User and Group and the attribute Member are configured as filters.

Configure the event filters

  1. Start the Configuration application.

  2. Click Scans.

  3. In the Configuration window, locate the Logga - Active Directory scan configuration.

  4. In the scan configuration, click the highlighted link.

  5. In the Active Directory Logga Fllter Configuration window, choose a filter option.

Filter events related to specific users

  1. Select Event authors.

  2. Use the Filter field to locate the targeted user. You can search for a display name or CommonName

  3. Select and drag the targeted user to the Filtered out Event Authors column. You can also double-click the user name to perform the same action.

  4. Enter a comment about the change.

  5. Click Apply

Filter groups as event authors

  1. Select the Use groups as event authors checkbox.

  2. Select Group event authors.

  3. Click additional configuration.

  4. In the Filter Option for group usage as event authors window, determine which mode is used by the filter to update group memberships.

    Be sure to review the instructions in the window.

    Select Event based if the memberships in the filtered groups do not change very often.

    Select Time based to configure an update for a set amount of minutes. You can select a value between 10 minutes and 1440 minutes (or 24 hours). The shorter the interval, the higher the load on Active Directory.

  5. Enter a comment to apply your changes made to the filter settings.

  6. Click Apply.

  7. If required, click Apply in the next window.

Filter events for one or all computer accounts

  1. Select the Filter out events from all computer accounts checkbox.

  2. Select Computer event authors.

  3. Enter a comment to apply your changes made to the filter settings.

  4. Click Apply.

Filter events of specific object classes

  1. Select Object classes.

  2. By default, events relating to the two selected object classes will be filtered.

    The initial loading (and a rescan) of object classes from Active Directory may require several minutes to complete. When completed, the object classes are loaded from the data base.

  3. Click rescan to update the object classes--for example, after a schema change.

  4. Enter a comment to apply your changes made to the filter settings.

  5. Click Apply.

Filter events related to specific attributes

  1. Select Attributes.

  2. Select an attribute.

    For example, all events related to attributes that include "ms-exch" are filtered out / excluded.

  3. Enter a comment to apply your changes made to the filter settings.

  4. Click Apply.