Search

Search for words used in entries on this website

Enter the words[s] to search for here:

Sponsors

ACS Event Transformation Demystified

Eric Fitzgerald: I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS.

Transformation is performed on the agent (using instructions provided at connect time by the collector) and on the collector. Transformation instructions are all stored on the collector in a file called EventSchema.xml which is in the AdtServer directory (%windir%\system32\security\adtserver). This file is pointed to in the collector’s registry and is read during startup of the collector service; failure to successfully read and parse this file at startup is a fatal error for the collector (the debug log will complain about parsing).

The collector reads EventSchema.xml and builds in-memory binary tables of event transformation instructions and event string types by OS version/event log/event source.(continue at source)

Name:			Remember personal info? Yes No
Email:
URL:
Comment:		Emoticons / Textile
Before sending a comment, you have to correctly answer a simple question you know the answer to. This is a countermeasure against automated spam bots. What are the first four letters of Techlog?     ( Register your username / Log in )
Notify:		Yes, send me email when someone replies.
Hide email:		Yes, hide my email address.
Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.