Run at a cmd line as Administrator. This will disable a good collection of meaningless events. A typical large environment will see around 10,000,000 5156 events a day (7 2008 R2 domain controllers) if the Base Filtering Engine service is enabled.
adtadmin /setquery /collector:”Collector Name” /query:”SELECT * FROM AdtsEvent WHERE NOT ((HeaderUser=’SYSTEM’ OR HeaderUser=’LOCAL SERVICE’ OR HeaderUser=’NETWORK SERVICE’) OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680) OR (EventId>=541 AND EventId<=547))”
Also…
select * from AdtsEvent WHERE NOT (EVENTID=5156 OR EventID=5145 OR EventID=4768 OR EventID=4624 OR EventID=4634 OR EventID=4769 OR EventID=4656 OR EventID=4776 OR EventID=5158 OR EventID=4658 OR EventID=5140 OR EventID=4661 OR EventID=4672)
NOTE you must apply registry changes per the below BEFORE running the ACS Query.
The service is configured to run as ‘Network Service’. When trying to set a filter, the service tries to update a registry entry:
HKLM\SYSTEM\CurrentControlSet\services\AdtServer\Parameters
The string that it wants to update is ‘DbQueueQuery’.
The permissions to this registry key does not allow ‘Set Value’. You will need to update the permissions on this registry key to allow ‘Network Service’ the ability to set this registry value.
Along with 556 you might want to exclude 4662 as well if you had your Domain Controllers set to audit AD Access. I reduces my ACS collection from 15K event per second to 1.5-2K with those 2 events. I finally diabled the audition in a GPO to resolve it for good.
Wow, I need to spell check more. I guess that is what happens when you a tired and post on forums :)