How to exclude unnecessary events from being imported into database?
説明
How to exclude unnecessary events in a import policy to reduce the database size, speed up import jobs/clean-ups and keep the database leaner.
原因
When importing events from a repository into the Audit Database, there are events that are not commonly used for reporting purposes and are generally considered noise.
対策
To add EventID's to the Import Policy's Database Filter
Select the Import Policy being used for the Import Task/job
Make a copy of the Import Policy
Expand this new copy and select the data source that is producing the most events/noise, such as the Windows Security Log
Right click and select Properties
Select the Database Filter tab.
Under the Filter Events section select all currently listed filters and remove them.
Click Add and select Custom filter for Security Log
Click OK
In the Excluding filters: remove any unnecessary or duplicate filters
Click Add and add the Custom filter for Security Log
Select the Custom filter for Security Log and then the Properties button.
Select the Matching tab, and then EventID
Remove the default Number range listed
Click the Add button, and enter the EventID's of the events you wish to exclude using the EventID as the From: and To: value.
Click Apply and OK then commit the changes
Now open the Properties of the Import Job(s) under the respective Workflow/Task and Apply the following policy:
