security log size on PDC problem

Discussion in 'Server Security' started by Juergen N., Jan 7, 2010.

  1. Juergen N.

    Juergen N. Guest

    Hi,

    in our company we have to audit all logon/logoff events. On the primary
    domain controller (Windows 2003 R2 SP2 32Bit) we have the problem that
    logging stops when the log file size exceeds a size about 330MB. The limit
    is set to 1GB, but I think the problem occurs because the memory-mapped file
    limit (see
    http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx)
    I noticed that in one day the log file is full with over 1 million events.
    Almost all of them aren't logon/logoff events, but system-events like
    Kerberos authentification.

    So, my question: how can I stop logging those system-events and log only
    logon/logoff events (528/551)? Or maybe can i handle this with other
    third-party-tools?


    thanks in adavance for any suggestions,

    Juergen
     
    Juergen N., Jan 7, 2010
    #1
    1. Advertisements

  2. Hello Juergen N.,

    You can check the auditing GPO and redefine your logging. You cannot filter
    the event id's for logging like you describe. What maybe is an option, we
    use this also, is to safe and clear once a day the security log file with
    a script. After our 5 year policy the old logfiles can be archived. This
    way the security log is not growing that much, i think and you have also
    an overview if you need to search for a special day the logon events.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jan 7, 2010
    #2
    1. Advertisements

  3. Juergen N.

    Juergen N. Guest

    Hello Meinolf Weber,

    thanks for your response. I've only set the "Audit logon events" (Success,
    Failure) for Domain-Controllers, but the log-file size still grows very
    quickly.
    Do you have a link or a sample-script how can I copy and delete the log
    file?

    best regards,

    Juergen N.
     
    Juergen N., Jan 7, 2010
    #3
  4. Hello Juergen N.,

    Here is the script content we use with a scheduled task:
    ---------------------------------------------------------------------------------
    ;;The account that runs the scheduled task, needs the user rights assignment:
    backup files and directorys, logon as a batch job, generate security audits,
    manage auditing and security log
    ;;Save this file as .vbs

    strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" &
    Day(Now),2) & "-"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Backup,Security)}!\\" & _
    strComputer & "\root\cimv2")
    Set colLogFiles = objWMIService.ExecQuery _
    ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
    For Each objLogfile in colLogFiles
    errBackupLog = objLogFile.BackupEventLog("d:\SecurityLog\"& strDate &"security.evt")
    If errBackupLog <> 0 Then
    Wscript.Echo "The Security event log could not be backed up."
    Else
    objLogFile.ClearEventLog()
    End If
    Next
    ---------------------------------------------------------------------------------

    You have to modify the folder location for your needs ("d:\SecurityLog\"&
    strDate &"security.evt").

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jan 7, 2010
    #4
  5. Juergen N.

    Juergen N. Guest

    Hello Meinolf,

    thanks a lot for the script, I'll try it tomorrow.

    best regards,

    Juergen N.
     
    Juergen N., Jan 7, 2010
    #5
  6. Juergen N.

    kj [SBS MVP] Guest

    Why not just enable log file archiving and not loose any entries or have
    logging stop at all?

    http://www.petri.co.il/event_logs_archiving_with_gpo.htm
     
    kj [SBS MVP], Jan 7, 2010
    #6
  7. Juergen N.

    Juergen N. Guest

    Juergen N., Jan 8, 2010
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.