We have a slight problem with our AD events. We want to get EventCode
5136-5138 for events that effect only certain object classes. Taking all
these events in gives us about 10 times EPS we would get if we manage to
limit to just those classes. As far as I know about the Win32_NTLogEvent
class used in querying AD for event data, the Class attribute is in
InsertionStrings string array. Is there a way to query these values when
asking for events from AD? Any idea of what the syntax for such query
would be on the Sentinel Event source?

I would prefer to handle this in the query itself instead of the
collector if possible, mostly for the EPS limits we have.

We are using a Windows Event (WMI) connector version 2011.1r2.

Petteria's Profile: https://forums.netiq.com/member.php?userid=5861
View this thread: https://forums.netiq.com/showthread.php?t=51664