Microsoft Windows events advanced settings

You can use the following advanced settings to fine tune Microsoft Windows events sources.

Parameter Default value Description
Identifier Override hostname/IP You can override the device identifier for this source
Tuning Profile
  • Automatic Tuning
  • Low Event Rate
  • Medium Event Rate
  • High Event Rate
  • Max Event Rate
  • Manual Tuning
Automatic tuning
Determines how to poll for events automatically and adjusts itself over time
Low event rate
Less than 1 event per minute, poll every 10 minutes, 100 events at a time.
Medium event rate
Less than 10 events per second, poll every 30 seconds, 200 events at a time.
High event rate
Less than 500 events per second, poll every 3 seconds, 2000 events at a time.
Max event rate
More than 500 events per second, poll continuously, 5000 events at a time.
Manual Tuning
Manually set the polling interval, events per pass, and batch size.
Manual Tuning
  • Polling Interval
  The length of time (milliseconds) between polls.
  • Events per pass
  Maximum events to collect at each polling interval.
  • Events per batch
  Number of events to fetch per call to the source.
Event Levels
  • Critical
  • Error
  • Warning
  • Information
  • Verbose
  • Always
  • Include Critical events (level 1)
  • Include Warning events (level 3)
  • Include Verbose events (level 5)
  • Include Error events (level 2)
  • Include Information events (level 4)
  • Include Always logged events (level 0)
Keywords
  • Audit Failure
  • Audit Success
  • Response Time
  • Classic
  • Include keyword 0x10 0000 0000 0000 only for security events
  • Include keyword 0x20 0000 0000 0000 only for security events
  • Include keyword 0x01 0000 0000 0000
  • Include keyword 0x80 0000 0000 0000 for events raised by using the RaiseEvent
SID Translation Enabled  
Active Directory (AD) lookup Not enabled

Turn the conversion of GUIDs into text on or off.

The lookup is performed by using the AD domain controller name if provided. If the AD domain controller name is not provided, it searches for a domain controller by using the AD DNS domain name. In either case, the credentials of the source device that is queried will be used to access the domain controller. If neither parameters are provided, the local machine is used to perform the lookup with no credentials.

AD DNS domain name    
AD domain controller name