Cindy, If you are going to retain logs for this period of time (lucky you, we have to retain them for 7 years!), then I would suggest upping your log size (in EventVwr) to something more practical like 200mb. 2mb isn't going to keep you going for 3 years (let alone a couple of weeks).
Since you are setting to not overwrite, look into ways to archive off event logs when they reach their maximum size to ensure you don't lose event log entries.. What we have done is set them to 200mb (we generate about 100mb of logs per day per DC - 15 of them), and twice a day export a text readable version of the log for analysis (using things like DumpEL). We also have another script that compares the current size of the event log to its maximum setting size, and if it reaches > 85% of this limit, archive a binary format of the log to local disk which we then archive off to SAN / DVD-R. The auditors won't accept a version of the logs that can be edited (i.e. the text readable version), so we need to retain both the text and binary versions of the logs. We use the text readable versions for reporting, but for the actual presenting of formal charges / disciplinary proceedings we need the binary logs. How much you need to do would be dependant on your local auditing / policy / statutory requirements. I suggest you look into it to make sure you don't get caught out somewhere down the track. We routinely get asked to supply activity information for users over long periods (like 12-18 months), without event archiving like I described above, its almost impossible. Don't underestimate how much disk space archived logs can consume as well. We generate about 6-10gb of logs PER DAY (15 DC's, about 120 servers), and if we are auditing user activity (file access etc) on our main data servers, that can top 30gb PER DAY. You may need to look into long-term archiving strategies (SAN, Tape, Disk, WORM, DVD-R, CD-R) to hang onto this much information. *rant off* Glenn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
