MS Audit Collection Services

Discussion created by rwengewicz on Oct 24, 2011
Latest reply on Jan 9, 2012 by rwengewicz
So we are starting to collect the ACS's and worked with Microsoft to add a field to the query that discribes what the message ID is. I doing this I had to change one of the (FLD's) to a actual variable. Figuring this is all I needed to do thought this would be a quick job. Well I have come across 3 message ID's that are not in the XML - 4668, 5145 and 534 ; I have event source 20111004-165427 installed and Ver 4 sp 4 patch 3 installed. anyone else have any issues with ACS? Here is our query that we use also. select CreationTime,Id,A.EventId, [S/F], ED.EventDescription, SequenceNo,Category,CollectionTime, AgentMachine,EventMachine,Source,HeaderSid,HeaderUser,HeaderDomain,PrimarySid,PrimaryUser, PrimaryDomain,PrimaryLogonId,ClientSid,ClientUser,ClientDomain,ClientLogonId, TargetSid,TargetUser,TargetDomain,String01,String02,String03,String04,String05, String06,String07,String08,String09,String10,String11,String12,String13,String14, String15,String16,String17,String18,String19,String20,String21,String22 from AdtServer.dvAll AS A Join dtEventDescription AS ED ON A.EventId = ED.EventID WHERE CreationTime > '%TRACKING%'