I want to search to understand which Event IDs we have on our DC servers. However, I don’t have a list of servers, and as you know, event sources are indexed under different event source categories based on the type of logs sent. What is the best practice to achieve this?
If you enable the send Unparsed Data option for your WMI Based Active Directory Event Sources, then the entire Security log is collected from the DC. Every record from the Security log is written to the Raw Log logset, as well as the events which we typically parse into AD Admin Activity, Asset Authentication and Host to IP Observations
From the Raw log you should be able to find any event_code being logged to the security log, and you could groupby the computer name and event codes to see what event codes are coming from which DCs.
David