Previous Topic: Export a Suppression or Summarization RuleNext Topic: Mapping and Parsing

Administration GuideSuppression and SummarizationCreate a Windows Event 560 Suppression Rule

Create a Windows Event 560 Suppression Rule

Enabling object access auditing on a Windows server creates a significant volume of event traffic, some of which you may wish to eliminate. For example, Windows generates two events each time an administrator opens the Microsoft Management Console (mmc.exe). These events have ID values of 560 and 562.

In this example, you create a new rule that suppresses Windows events with an event_id of 560. Completing the steps in the following procedure gives you an actual suppression rule you can use in your network environment as well as demonstrating how to use the wizard.

To get started with this example, you must log in to a CA User Activity Reporting Module server as a user with the Administrative role and privileges. You cannot create or edit suppression rules while logged in as the EiamAdmin user.

To create a suppression rule for Windows 560 events

  1. Open the suppression rule wizard.
  2. Type "Windows Event 560 Suppression" in the name entry field, and add the description, "This rule suppresses Window event 560 since the OS also creates Event 562 for the same type of resource access. Its retention is not needed for demonstrating compliance."
  3. Advance to the Filtering step and select the following simple filters:
    1. Ideal Model value, Operating System.
    2. Event Category value, Resource Access.
    3. Event Class value, Resource Open.
    4. Event Action value, Resource Activity.
  4. Click the Advanced Filters tab, and the New Event Filter button.

    A new filter line appears in the table. You can click a value or the empty space in each table cell to select or enter a new value.

    The Logic operator field defaults to the value, AND. If you have several different types of events that you wanted to suppress, you can enter their event IDs with new lines that use the OR logical operator.

  5. Set the advanced field filter values:
    1. Click the value in the Column field and select the field, event_id.
    2. Click the Operator field and select Equal To
    3. Click the Value field and enter the value, 560.
  6. Click Save and Close.

    The wizard automatically creates a User folder to contain your suppression rules. You can see this folder by expanding the Suppression Rules folder.