Last Update: Nov 19, 2024 | Published: Jan 07, 2009
In some environments the company policy requires that security logs of Domain Controllers are configured to retain information X days into the past. Requiring such a setting means 2 things:
One of the things that can help you in this situation is automating the process of opening a new security log file when the maximum size limit is reached.
Below you will find an Administrative Template (.ADM file) that does exactly that: the moment the file size limit is reached, the server archives the security log and opens a fresh one.
I’ll quote:
Using this entry causes the Event Log service to automatically clear a full event log and to back-up the log file. On computers with the “CrashOnAuditFail” policy turned on, the computer continues to log events (instead of hanging because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in the %SystemRoot%System32Config folder. If you enable this setting, a full log file is automatically backed up in the %SystemRoot%System32Config folder, the log file is cleared, and event logging resumes.
If you are still wondering what I am talking about, lets have a look at the following example:
So what do you do? You configure the maximum log size to rather reasonable number (lets say 128MB) and use the Administrative Template attached below to configure the server to open a new log when it hits the 128MB limit. The even log will be saved in %SystemRoot%System32Config folder with timestamp suffix and a new log will be opened.
You can later collect those files to a central location or configure a job to prune files older than 60 days.
Add the new Administrative Template to a new or to an existing GPO, then look for the settings under Computer Configuration > Administrative Templates > System > Event Viewer. The new settings are quite self explanatory.
Follow the steps outlined in the Adding New Administrative Templates to a GPO article on general instructions on how to add or remove an .ADM file from the Administrative Templates section in GPO.
Note: As with many custom Administrative Templates, you will need to remove the requirement to show policy settings that can be fully managed in the GPO editor.
Needless to say, as with any GPO setting, this option will only work on Windows 2000 operating systems and higher, and requires you to have an Active Directory in place.
Grab it from [this_link_has_been_removed] (1kb)
Guy’s Windowmaker’s Blog