Logon/Logoff Auditing, exclude specific user?

As the title says.. Is there a way to exclude or not audit a single domain user account's logon and logoff events?

We have a web app that uses a service account to use to verify other AD accounts, well this happens hundreds of times an hour and fills the Security event log.  So I'd like to just exclude the logon and logoff events from this single user if possible.
LVL 14
Ben HartAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Renato Montenegro RusticiIT SpecialistCommented:
There's no way to do that. In your case you are auditing the event, not the users.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ben HartAuthor Commented:
Not sure I follow.. its a result of the normal Server 08 local audit policy covering logon events, or so I thought.  But I want to not log the success or failure logon events for one specific user..
Renato Montenegro RusticiIT SpecialistCommented:
But, tell me. Are you concerned about it because of the disk consumption or because it's hard to look for information in the log?

I am asking because it's possible to extract information from the event viewer in many ways. I am pretty sure we can find a way to filter the information. But if you are concerned because of the disk space, so, there's not much to do.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Renato Montenegro RusticiIT SpecialistCommented:
What I meant is that when you turn object access policy, for instance, you will assign some folders and users to the auditing configuration. In the case of logon/logoff events, you dont point users or servers, you just turn it on or off in Active Directory (this log is showing in a domain controller, right?).
Ben HartAuthor Commented:
Well honestly I guess it'd be a little of both, I just increased the log size to 50megs which I will agree is nothing, however the default 20mb log file size was eaten up by a little less than 3 hours worth of security logon events from this one particular domain account.  I realized this by filtering the current log and the time frames only going back 3.5 hours.

Since I know this particular account will generate a literal crap ton of events, I thought it'd be easier just to exclude it.
Ben HartAuthor Commented:
Yes.. on one of our two DC's.  So logon events are an 'all or nothing thing'?
Renato Montenegro RusticiIT SpecialistCommented:
Yes. That's it.
Ben HartAuthor Commented:
So how would larger environments handle large log files?
Renato Montenegro RusticiIT SpecialistCommented:
You might consolidate events to a dedicated server with enough storage.

Take a look at Event Subscription:

Setting up Subscriptions for Event Log Forwarding
Renato Montenegro RusticiIT SpecialistCommented:
1) If it's possible, you can try to change the application behavior with the software manufacturer.

2) Depending the on application behavior you might try to create an additional domain and run the application from there where you will not enable auditing.

That's what I have for now. Hope this will help you.
Ben HartAuthor Commented:
Thank you for the hint about Subscriptions.. I now get security related logs from both DC's on only one.

I might have found a snag I was hitting earlier in the filtering.

I setup a custom view,  For the Last 12 Hours; Event Level: All; By Log:Security,System,Directory Service; Keywords: Audit Failure, Audit Success.  Which returns over 100k events.  If I got back in and add a user it returns zero.

I go into the Security log itself, I found a logoff event at  5:38:14, I then find that same event in the custom filter without the user.. but if I specify that user who logged off at 5:38:14 in the custom view it returns zero.  Not sure where I'm going wrong here.
Ben HartAuthor Commented:
In an effort to actually accomplish this.. I stumbled across some dudes blog (http://www.jaminquimby.com/index.php/microsoft-windows-2008/129-windows-event-viewer-custom-xml-filter)

I'm starting to think a custom XML query might work.. however XML's workings are lost on me so far.
Ben HartAuthor Commented:
Apparently this is an overly difficult thing to accomplish so I'll post what I've found.

  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(Level=4 or Level=0 or Level=5) 
                and (EventID=4624) 

Open in new window

Ben HartAuthor Commented:
rmrustice answered my question.. however I'm accepting mine and his because part of the issue was wading thru the event logs and NOT seeing the one user I wanted to exclude.  While there is no way apparently to stop Audit logs from Auditing one individual user, I can exclude that user from appearing in the event logs.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.