This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RobertWengewicz
Beginner
Beginner
‎2011-10-24 08:23 AM

MS Audit Collection Services

So we are starting to collect the ACS's and worked with Microsoft to add a field to the query that discribes what the message ID is. I doing this I had to change one of the (FLD's) to a actual variable. Figuring this is all I needed to do thought this would be a quick job. Well I have come across 3 message ID's that are not in the XML - 4668, 5145 and 534 ; I have event source 20111004-165427 installed and Ver 4 sp 4 patch 3 installed. anyone else have any issues with ACS? Here is our query that we use also. select CreationTime,Id,A.EventId, [S/F], ED.EventDescription, SequenceNo,Category,CollectionTime, AgentMachine,EventMachine,Source,HeaderSid,HeaderUser,HeaderDomain,PrimarySid,PrimaryUser, PrimaryDomain,PrimaryLogonId,ClientSid,ClientUser,ClientDomain,ClientLogonId, TargetSid,TargetUser,TargetDomain,String01,String02,String03,String04,String05, String06,String07,String08,String09,String10,String11,String12,String13,String14, String15,String16,String17,String18,String19,String20,String21,String22 from AdtServer.dvAll AS A Join dtEventDescription AS ED ON A.EventId = ED.EventID WHERE CreationTime > '%TRACKING%'
0 Likes
Reply
5 Replies
RobertWengewicz
Beginner
Beginner
‎2011-11-02 11:33 AM

So nobody has seen a issue with the XML for MS ACS that it is missing Msg ID's?
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RobertWengewicz
‎2011-11-03 09:00 AM

The missing message id's will be addressed in an ESU. There is an official process in place to deal with such issues. To submit messages run the send_unknownmessages.cmd located in the bin directory and submit them through support. The messages will then be include in a monthly ESU.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RobertWengewicz
‎2011-11-03 04:11 PM

We collect ACS but I'm not all sure I follow your issue. I thought I'd reply and let you know that we got burned on a regular basis with the WHERE CreationTime > '%TRACKING% part of the query. With workstations all over the planet, we do NOT want to be at the mercy of some local machine's internal clock. I changed the tracking field to CollectionTime instead and all works well now.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-11-14 09:47 AM

Mike,

 

Thanks for the suggestion.  This change was implemented and should have been delivered in the October ESU.

 

Regards,

 

Paul

 

 

0 Likes
Reply
RobertWengewicz
Beginner
Beginner
In response to RSAAdmin
‎2012-01-09 03:49 PM

Well I just updated to the latest ESU and I still don't see the message ID from the original post plus these 517, 1102, 4732, 4733. I did do the Unknown msg and looked at the file and these are not in the Unknown messages log. Is it that these are really not required by most people and that is why they are not added?
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.