Disabling or removing extra description text in Windows 2008 event logs?

We're testing this SEDCMD configuration and it seems to work well for truncating the message text for event IDs 4624, 4634, and a few others which are the high-volume events in an Active Directory environment:

# Install on Splunk indexer in $SPLUNK_HOME/etc/system/local/props.conf
[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g

Strictly speaking the trailing "g" probably isn't necessary. We did run into one problem which is that agents must be configured as light forwarders for the parsing to happen at the indexer. This would need to be deployed to non-lightweight forwarders as well, I believe. Since we deployed this only two days ago and had to upgrade a bunch of agents in the process, I'm still in waiting mode to see what volume reduction this generates.

-- James

My research and testing suggests that this feature cannot be turned off. Fortunately it appears only a limited number of events have this verbose text added to them, at least at this time. 13 events in total:

4612: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
4616: The system time was changed.
4618: A monitored security event pattern has occurred
4624: An account was successfully logged on
4625: An account failed to log on
4634: An account was logged off
4647: User initiated logoff
4648: A logon was attempted using explicit credentials
4769: A Kerberos service ticket was requested
4778: A session was reconnected to a Window Station
4779: A session was disconnected from a Window Station
4780: The ACL was set on accounts which are members of administrators groups
4908: Special Groups Logon table modified

Out of these, only 4624, 4625, 4634, 4647, 4648, 4769 and possibly 4778 and 4779 are common enough to worry about stripping the description text. Based on this limited number of event IDs it might be best to just use transforms or sedcmd...

Simple fix for removing the repeating detailed description from the message field but leave details:

in props.conf

# message shortener for windows event security
# removes text from message field starting with: This event is generated

[WinEventLog:Security]
TRANSFORM-windows_events = win_event_shortener

in transforms.conf

[win_event_shortener]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated)
FORMAT = $1

We haven't migrated to 2k8 yet, so I haven't had the pleasure of indexing 2k8 logs, but looking at group policy documentation for 2k8 R2 the following sticks out:

Machine, wdi.admx, Diagnostics: Configure scenario execution level.

Determines the execution level for Diagnostic Policy Service (DPS) scenarios.\n\n\nIf you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. [...] The DPS can be configured with the Services snap-in to the Microsoft Management Console.

What execution level do you have the Diagnostic Policy Service (DPS) set for? Could it be that it's configured for detection and troubleshooting, and causes it to log the extra data?

[edit] FYI 2k8 r2 group policies: http://www.microsoft.com/downloads/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb&displaylang=en

For the record, I am noting the obvious Splunk-based solution would be to use SEDCMD or a TRANSFORM to just delete it from the incoming data.