This solution will help find out what computers fill Intrust Audit database with excessive data.
Intrust Audit database may sometimes start to grow at a very high rate. This usually indicates at some possible multiple logon attempts or any other abnormal activity in the network.
Open SQL Management Studio, right-click Intrust Audit Database object and select 'New Query' menu option
In the Query window type the queries below:
1. select TOP 10 Computer, EventID, Count (EventiD) as Events from events Group by Computer, EventID order by Events desc
This query will return you 10 Computers that generate most events (that are stored into the Audit Database). Also, events are grouped by EventID.
2. select top 10 Computer, EventID, Count (EventiD)as Events from events where datediff( d,GMT,getdate()) < N Group by Computer, EventID order by Events desc
This query will show the same information as Query 1. However, only events for the last N days will be taken into account.