I don't know that there is a 'general consensus' because everyone's business needs differ. My environment has around 100K users and you're right, there's a ridiculously high volume of logon events. We set the security log size very high on the domain controllers, and collect and clear the security logs several times per day using a commercially-available "fancy log management system." We don't allow the security logs to rollover. The eventlog management software gives us an impressive battery of audit reports, and a compressed eventlog repository that we archive for FISMA compliance.
I'm sure our uncompressed event log archive is well above 1TB per year. But we realize about a 20:1 compression using the commercial software. Your options may be limited by legal requirements that may govern the audit logs of your business or organization. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 5:32 PM To: [email protected] Subject: RE: [ActiveDir] Logging successful logons in AD security log That may work, but it sort of falls under option b. The logs will grow so large that they will become unmanageable. I did some calculations and it works out to be about 1TB a year. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Wednesday, August 30, 2006 3:06 PM To: [email protected] Subject: RE: [ActiveDir] Logging successful logons in AD security log I have a pretty small site, and this probably won't scale very well, but I have a script scheduled to run every day at midnight that backs up the security log to a compressed folder & clears it. I have the log size set ridiculously high, so it doesn't rollover unexpectedly. dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & "_" & Hour(Time) & Minute(Time) strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Security'") For Each objLogfile in colLogFiles objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ "_security.evt") objLogFile.ClearEventLog() Next -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 3:10 PM To: [email protected] Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
