I am trying to apply a similar filter to something that we used with Audit Collection Services, where you filter by the event ID and the primary SID. We have a significant number of logs that come in that we don't need to archive, but are being logged due to DISA STIG requirements.
The equivalent field in Event Log Analyzer is the SecurityID. The particular SID I'm trying to filter by is the computer account, so for example ServerA$ (ELA calls this the User field). So I have been able to setup the filter to work with the EventID and the User, but not the SID (SecurityID). The problem comes into place that I would then have to setup a filter for every single server we are capturing logs for, and would have to update and add new filters anytime a new server is added in.
So my question is, is there a way to include the SecurityID AND the EventID in a filter? An alternative would be to use a variable for the Hostname; can variables be used in the filter? If so could you please let me know how, as I have not had any luck so far.
Thanks