I have searched high and low and cannot find an answer to my need. I am in the process of setting up a SIEM for our network and I need to audit for user and machine logon/logoff events. Simple enough except that our domain is a child domain in a forest with about 10 other domains. When I enable the necessary settings in the advanced audit policy configuration and set the appropriate entries in the SACL we are getting events for every logon/logoff event throughout the entire AD forest.
In short, is there any way to get ONLY the logon/logoff events to machines that are members of our child domain? Any help is appreciated, thanks.
