In SCOM 2012, the ACS (Audit Collection Services) service is configured to run as 'Network Service' by default. When trying to set a filter, the service tries to update a registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\AdtServer\Parameters
The string that it wants to update is 'DbQueueQuery'.
The permissions to this registry key do not allow 'Set Value'. You will need to update the permissions on this registry key to allow 'Network Service' the ability to set this registry value.
How To Assign The Permissions:
- On the ACS collection server, open regedit through the run command.
- Navigate to the following location :
- Right click on Parameters entry in your navigation pane and select Permissions.
- Click on Advance, select 'Network Service' and click Edit.
- At the 'Applies to' section, select 'This key and subkeys'. Select 'Full control' under the Basic Permissions section.
- Apply the permissions. Just double check that the permissions have been saved.
Now we are going to apply the ACS filter to exclude all noise from the database.
How To Apply The ACS Filter:
- Before we apply the filter, run the Planning - Event Counts report from the SCOM console and determine what Event ID's are just noise that was collected by ACS.
- Once you have compiled your list of Event ID's that you want to exclude from the ACS database, open Command Prompt (with elevated permissions) on the collection server.
- Navigate to C:\Windows\System32\Security\AdtServer.
- Run the following command and insert your noise Event ID's as necessary (replace <NoiseEventID> with your Event ID):
- After you have applied the filter, run the Planning - Event Counts report from the SCOM console. The noise Event ID's will still show up but will stay at the current amount of events that it had already collected. The noise Event ID's will start to clear out when it reaches the data retention period of the ACS database (15 days by default).
Hope that this post was helpful.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.