>I can say that I have seen logs way bigger than the specified max size.
That's probably due to the little bug in the Policy setting vs actual size, I don't have the reference with me but it's back at the office, I had to figure it out because my DC logs actual sizes weren't matching what was in the Domain Controller GPO. Anyway, the point I mentioned the other day and that Mark later reinterated was the practical limit of ~300MB, or risk of introducing problems with services.exe, lsass, the audit subsystem etc on a DC. Are you saying you have seen the aggregate size of the eventlogs go over that? I found out about the instability the hard way and then once I knew what to look for the references became apparent. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, August 31, 2006 9:15 AM To: [email protected] Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com <x-excid://32770000/uri:http://www.akomolafe.com> - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: Glenn Corbett Sent: Thu 8/31/2006 2:53 AM To: [email protected] Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: [email protected]; [email protected] Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45e d-9e 5e-514173bf15e31033.mspx?mfr=true Mark ________________________________ Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 -0000 Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Refer ence s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL +WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: [email protected] Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [email protected] Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: <[EMAIL PROTECTED]> Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story.... Buy bigger harddrives and archive. Sitton Glen E wrote: > I don't know that there is a 'general consensus' because everyone's > business needs differ. My environment has around 100K users and you're > right, there's a ridiculously high volume of logon events. We set the > security log size very high on the domain controllers, and collect and > clear the security logs several times per day using a > commercially-available "fancy log management system." We don't allow > the security logs to rollover. The eventlog management software gives > us an impressive battery of audit reports, and a compressed eventlog > repository that we archive for FISMA compliance. > > I'm sure our uncompressed event log archive is well above 1TB per year. > But we realize about a 20:1 compression using the commercial software. > > Your options may be limited by legal requirements that may govern the > audit logs of your business or organization. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > Joseph > Sent: Wednesday, August 30, 2006 5:32 PM > To: [email protected] > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > That may work, but it sort of falls under option b. The logs will grow > so large that they will become unmanageable. I did some calculations > and it works out to be about 1TB a year. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris > Sent: Wednesday, August 30, 2006 3:06 PM > To: [email protected] > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > I have a pretty small site, and this probably won't scale very well, but > I have a script scheduled to run every day at midnight that backs up the > security log to a compressed folder & clears it. I have the log size set > ridiculously high, so it doesn't rollover unexpectedly. > > dtmThisDay = Day(Date) > dtmThisMonth = Month(Date) > dtmThisYear = Year(Date) > strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & > "_" & Hour(Time) & Minute(Time) strComputer = "." > Set objWMIService = GetObject("winmgmts:" _ > & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ > strComputer & "\root\cimv2") > Set colLogFiles = objWMIService.ExecQuery _ > ("Select * from Win32_NTEventLogFile where LogFileName='Security'") > For Each objLogfile in colLogFiles > objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ > "_security.evt") > objLogFile.ClearEventLog() > Next > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > Joseph > Sent: Wednesday, August 30, 2006 3:10 PM > To: [email protected] > Subject: [ActiveDir] Logging successful logons in AD security log > > What is the general consensus on logging successful logon events? > > For example if you have a domain with 100K users or so and you use AD as > your primary authentication service for: application, file, email, and > web access then it is plausible that you will end up with up to 100 log > entries per second. That kind of volume will no doubt cause the logs to > roll over frequently thus making them somewhat useless. > > The only alternatives I see are: > > a) Don't log success logon. > b) Set your event log size to a very large (and possibly unmanageable) > size. > c) Invest in a fancy log management system that will collect, index, and > retain all of your logs. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
