Since I have such a large deployment of DC's, I try to keep my Security Event Logs at about 2 Days worth on the DC's, and I am evaluating a product from Aelita called InTrust to gather the logs into a MSDE database for evaluation. Specifically I filter on directory modification events and failed account events. I plan to email reports for both to me for review.
A poor mans solution to this could be to script Eventcomb utility to do the same thing. What ever the case... I recommend copying the event logs to a central safe place once a day. Todd -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 24, 2003 6:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How large are your security logs on your DC's? David, I have primarily two settings - servers internally to our environment, and servers at-risk. A server at risk is defined as a server in the DMZ or a DC. By default, the internal member servers are at 50MB. My at-risk servers have a security log of 100MB. And, with me not being at work right now either, seems that your audit settings are the same as what I'm using at present. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, December 24, 2003 9:25 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How large are your security logs on your DC's? We have auditing enabled on all our servers, with the Security log set to 5MB on member servers. We upped that number to 25MB on DC's because the log was filling so fast, then again to 50MB, but it's still only maintaining about 3-4 days worth of logs (we have it configured to prune as needed). We have plenty of disk space, but I know the more we track, the harder it is to even open the log, especially remotely. I'm curious how others have their logs setup. We need to be able to track when users have logged on or off and when changes are made to policies and accounts. The audit settings are (I'm doing this from memory; I'm not at work): Account logon events success/failure Account management success/failure Logons success/failure Object access none Policy changes success/failure Privilege use failure Process tracking none System events success/failure List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
