Filter AD Logga events
You can filter out desired events in order to focus on specific and relevant entries. Filtering means that filtered events will not be recorded.
This allows you to significantly improve your overview and reduce data volume. A typical example are frequent attribute changes of the Exchange server.
You are only able to configure filters if at least one AD scan is stored in the database.
Understand the filter principles for AD Logga
The AD Logga filter is considered a blacklist filter. In this case, blacklist means: The AD Logga records all possible events. You can determine which results are excluded.
By default the filter is set to the object classes "Service-Connection-Point" and "Print-Queue".
The filter criteria work cumulatively. An event is excluded if criteria 1, or criteria 2, or criteria 3 is fulfilled, or multiple criteria simultaneously.
The filter criteria do not correlate to each other. The events are evaluated by the AD Logga consecutively based upon the entered criteria. If one of the criteria is fulfilled, the AD Logga immediately excludes the result independent of whether any other criteria have been evaluated.
- If User A is configured as a filter, then all changes made by him will be excluded, even if the object classes or attributes that he made changes to are not configured as a filter. Changes that affect User A are still included.
- If object class X is configured as a filter, then all events, that include this object class explicitly will be excluded, even if the event author or changed attribute is not configured as a filter. This also applies to attribute filters.
Not all security log entries include affected object classes or attributes. For example changes to group memberships will not be excluded, even if the object classes "User" and "Group" and the attribute "Member" are configured as filters.
Configure the event filters
Click the link.
- Filter events related to specific users.
- Use the filter to find the desired user. You can search for either display name or CommonName.
- Select the desired user and add him with drag&drop or double-click.
- You can filter groups as event authors. Activate the option.
- The filter level is shown. By moving groups into the right hand column with drag & drop, all events of users who are direct or indirect members of that group are filtered and excluded.
- Click on "additional configuration".
Determine which mode is used by the filter to update group memberships.
Please note the information in the displayed dialog.
Only use "event-based" if memberships in the filtered groups change rarely.
The update interval for the "time-based" option can be set between 10 and 1440 min (24h). The shorter the interval, the higher the load on your AD.
Filter events for selected or all computer accounts.
- Filter the events of specific object classes.
- By default events relating to the two selected object classes will be filtered.
- The initial loading (and a rescan) of object classes from AD may take some time. After that the object classes will be loaded from the data base. Click "rescan" to update the object classes, e.g. after a schema change.
Filter events related to specific attributes.
All events related to attributes that include "ms-exch" are filtered out / excluded.
You must enter a comment to apply any changes made to filter settings.