ACS Event Retention Mechanism

I get a lot of questions about how ACS event retention works.  So here you go, I’m blogging it so I can just answer with a link 🙂 There are two DWORD registry values which affect backlog transmission.  Both are on the collector machine under HKLM\System\CurrentControlSet\Services\AdtServer\Parameters. EventRetentionPeriod, if present, is expressed in hours (I forget…

0

ACS’ first bug from being too performant

We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode and dnsZone objects, don’t properly get looked up. Some background: the event log in Windows prefers to log invariants such as message IDs, parameter message IDs, SIDs (security IDs which represent users and groups, etc.), and GUIDs (globally…

0

If you’re gonna herd bots, do it from New Zealand!

A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot botnet, citing the negative consequences a conviction would have on the young man’s future prospects.  See the story here. Well duh.  The whole theory of crime and punishment is that if you do something bad, you get punished, and…

0

WEvtUtil Scripting

If you haven’t used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you’re missing out.  The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn’t suffer from any of the drawbacks around getting field delimiting correct. The tool’s command to query…

4