Right now the file audit portion of ADAudit relies on SACLs and the security log of the file server which is horribly inefficient.  Opening a single file creates over 50 log entries (and they all show up in ADAudit).

 

Can you look into creating a small filter driver agent that can do event correlation so opening a file will only create one entry?