Audit Log Archiving Policy definitions are convenient filters for archived Windows Security Logs only

These definitions should not be modified unless absolutely necessary

These definitions help to reduce data bloat of unnecessary records that Windows generates

This filters prevent Event Logs matching the criteria from being parsed and archived into the database

The Audit Log Archiving Policy definitions are applied automatically, based on the type of server that is being archived

Policy Criteria To Filter Windows Security Event Log

This section allows customers to define the filters to apply

Multiple filters use an implicit AND operation unless the OR operator is added

If multiple filters are specified, each filter must be wrapped within brackets

Policy Logic If Event Satisfies The Criteria

This defines whether the filters should be EXCLUDED or INCLUDED

Apply Policy To Windows Machines Of Role

As previously mentioned, these policies are automatically applied whenever a Security Log is archived from a remote machine, whether it is a Domain Controller, server, or workstation

This section allows customers to apply the policy based on the role

For example, Domain Controllers may have stricter filters than member servers