Restricting Audit Events
You can configure auditing to restrict events that are audited based on the following criteria:
You can select which events to audit.
You can include or exclude events by user name. For included users, only events initiated by the named users are audited. For excluded users, only events initiated by users other that the named users are audited.
You can include or exclude events by role. For included roles, only events initiated by users with the included roles are audited. For excluded roles, only events initiated by users who do not have the excluded roles are audited.
You can include or exclude events by outcome of event (success/failure/both).
You can include or exclude events by document URI. Documents URIs are audited if any fragment from that document is loaded into memory, and that audit event is written to the audit log on the host in which the forest that contains the document resides.
For the procedure to set up auditing, see Configuring Auditing to Audit Certain Events and Set Up Certain Restrictions.