Exactly. As described in KB824245. Thanks David. That is exactly what happed to me, I was controlling the size with the GPO (or so I thought) and when I was done testing and wanted to reduce the size, the actual logs never reflected the GPO setting.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, September 01, 2006 12:16 PM To: [email protected] Subject: RE: [ActiveDir] Logging successful logons in AD security log The bug you're probably referring to is that in 2003 RTM you cannot reduce the size of an Event Log via GPO. You can increase the size but not decrease it. This can cause you to have larger logs than what you think if all you do is review what the GPOs say. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > Sent: Friday, September 01, 2006 1:37 PM > To: [email protected] > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > >I can say that I have seen logs way bigger than the > specified max size. > > > That's probably due to the little bug in the Policy setting > vs actual size, I don't have the reference with me but it's > back at the office, I had to figure it out because my DC logs > actual sizes weren't matching what was in the Domain Controller GPO. > > Anyway, the point I mentioned the other day and that Mark > later reinterated was the practical limit of ~300MB, or risk > of introducing problems with services.exe, lsass, the audit > subsystem etc on a DC. Are you saying you have seen the > aggregate size of the eventlogs go over that? I found out > about the instability the hard way and then once I knew what > to look for the references became apparent. > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Akomolafe, Deji > Sent: Thursday, August 31, 2006 9:15 AM > To: [email protected] > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > > I can say that I have seen logs way bigger than the specified > max size. > I can't say it's hurt the servers in any way. > > > Sincerely, > _____ > (, / | /) /) /) > /---| (/_ ______ ___// _ // _ > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) > (/ > Microsoft MVP - Directory Services > www.akomolafe.com > <x-excid://32770000/uri:http://www.akomolafe.com> - we know > IT -5.75, -3.23 Do you now realize that Today is the Tomorrow > you were worried about Yesterday? -anon > > ________________________________ > > From: Glenn Corbett > Sent: Thu 8/31/2006 2:53 AM > To: [email protected] > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > > Interesting. > > from the article: "Microsoft plans to resolve these problems > in the next version of Windows by rewriting the event logging > system from the ground up." since the last update was Mar 28 > 2003, I wonder how this applies to Wndows 2003 R2 and the 64 > Bit versions of Windows, or if this will only be fixed in Longhorn. > > Glenn > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Thursday, 31 August 2006 7:20 PM > To: [email protected]; [email protected] > Subject: Re: [ActiveDir] Logging successful logons in AD security log > > > Does everyone know this recomendation from Microsoft? > > On Windows XP, member servers, and stand-alone servers, the > combined size of the application, security, and system event > logs should not exceed 300 MB. > On domain controllers, the combined size of these three logs > - plus the Directory Service, File Replication Service, and > DNS Server logs - should not exceed 300 MB. > > http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0 > f-c7eb-45e > d-9e > 5e-514173bf15e31033.mspx?mfr=true > > Mark > > > > ________________________________ > > Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 > 2006 > Received: from smarthost1.giacom.net [194.131.240.55] by > mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 > Received: from mail.activedir.org ([12.168.66.190]) by > smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 > 04:12:15 +0100 > Received: from smtp111.sbc.mail.mud.yahoo.com > [68.142.198.210] by mail.activedir.org > (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 > Received: (qmail 99368 invoked from network); 31 Aug 2006 > 03:07:35 -0000 > Received: from unknown (HELO ?192.168.16.19?) > ([EMAIL PROTECTED]@69.106.185.80 with plain) by > smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 -0000 > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; > d=pacbell.net; > h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Sub > ject:Refer > ence > s:In-Reply-To:Content-Type:Content-Transfer-Encoding; > b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0v > pHGQ7U+CwL > +WPV > R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mv > Ifjfh29qkH > O6+P > EuYRMiJ3/EUAyhoBySfo8= ; > Message-ID: <[EMAIL PROTECTED]> > Date: Wed, 30 Aug 2006 20:07:29 -0700 > From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" > <[EMAIL PROTECTED]> > User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) > MIME-Version: 1.0 > To: [email protected] > Subject: Re: [ActiveDir] Logging successful logons in AD security log > References: <[EMAIL PROTECTED]> > In-Reply-To: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > Precedence: bulk > Sender: [EMAIL PROTECTED] > Reply-To: [email protected] > Received-SPF: none (smarthost1.giacom.net: mail.activedir.org > does not designate permitted sender hosts) > X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] > X-Note: This E-mail was scanned in real-time by Giacom > Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam > protection is available to subscribers of Giacom Business Pro > Plus. Visit http://www.giacom.com for more details. > X-Spam-Tests-Failed: ROUTING [-1] > X-Note: This E-mail was sent from ([12.168.66.190]). > X-Rcpt-To: <[EMAIL PROTECTED]> > > Ask the PSS security guys and they want success and failure. > Only having half the story... is only half the story.... > > Buy bigger harddrives and archive. > > Sitton Glen E wrote: > > I don't know that there is a 'general consensus' because everyone's > > business needs differ. My environment has around 100K users > and you're > > right, there's a ridiculously high volume of logon events. > We set the > > security log size very high on the domain controllers, and > collect and > > clear the security logs several times per day using a > > commercially-available "fancy log management system." We > don't allow > > the security logs to rollover. The eventlog management > software gives > > us an impressive battery of audit reports, and a compressed > eventlog > > repository that we archive for FISMA compliance. > > > > I'm sure our uncompressed event log archive is well above 1TB per > year. > > But we realize about a 20:1 compression using the > commercial software. > > > > Your options may be limited by legal requirements that may > govern the > > audit logs of your business or organization. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > > Joseph > > Sent: Wednesday, August 30, 2006 5:32 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Logging successful logons in AD > security log > > > > That may work, but it sort of falls under option b. The > logs will grow > > so large that they will become unmanageable. I did some > calculations > > and it works out to be about 1TB a year. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Derek Harris > > Sent: Wednesday, August 30, 2006 3:06 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Logging successful logons in AD > security log > > > > I have a pretty small site, and this probably won't scale very well, > but > > I have a script scheduled to run every day at midnight that backs up > the > > security log to a compressed folder & clears it. I have the log size > set > > ridiculously high, so it doesn't rollover unexpectedly. > > > > dtmThisDay = Day(Date) > > dtmThisMonth = Month(Date) > > dtmThisYear = Year(Date) > > strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & > dtmThisDay & > > "_" & Hour(Time) & Minute(Time) strComputer = "." > > Set objWMIService = GetObject("winmgmts:" _ & > > "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ > > strComputer & "\root\cimv2") Set colLogFiles = > objWMIService.ExecQuery > > _ ("Select * from Win32_NTEventLogFile where > LogFileName='Security'") > > For Each objLogfile in colLogFiles > > objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ > > "_security.evt") > > objLogFile.ClearEventLog() > > Next > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > > Joseph > > Sent: Wednesday, August 30, 2006 3:10 PM > > To: [email protected] > > Subject: [ActiveDir] Logging successful logons in AD security log > > > > What is the general consensus on logging successful logon events? > > > > For example if you have a domain with 100K users or so and > you use AD > as > > your primary authentication service for: application, file, > email, and > > web access then it is plausible that you will end up with up to 100 > log > > entries per second. That kind of volume will no doubt cause the logs > to > > roll over frequently thus making them somewhat useless. > > > > The only alternatives I see are: > > > > a) Don't log success logon. > > b) Set your event log size to a very large (and possibly > unmanageable) > > size. > > c) Invest in a fancy log management system that will collect, index, > and > > retain all of your logs. > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ml/threads.aspx > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
