Details of how event log scavenging works.
How Event Log Scavenging works:
The CA agent uses API calls to read the live event log entries.
Each event is read individually and scanned for particular event IDs.
These event IDs are scanned for:
528 // Successful local logon. Policy: Audit Logon Events (Success)
540 // Successful network logon. Policy: Audit Logon Events (Success)
627 // Password change attempt. Policy: Audit Account Management (Failure)
628 // Password changed. Policy: Audit account Management (Failure)
644 // Account lockout (3.1). Policy: Audit account Management (Success)
4738 // W2K8 event for 628
4624 // W2K8 event for 528, 540
4740 // W2K8 event for 644
675 // Bad password (3.1). Policy: Audit account Logon (Failure)
4625 // W2K8 event for 675
If the event ID does not match one of the above IDs it is immediately discarded.
If the event ID does match, the event is further scanned for other Event information such as user, source, etc.
Then the valid event viewer event is formed into a CA event and processed by the agent like other events.
Enabling event log scavenging does increase the processor and memory on each agent. Also, if the event logs are gathering over 20 events per second, there may be an event loss. This is due to the fact that the agent cannot keep up with reading the log.