Does everyone know this recomendation from Microsoft?
On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs — plus the Directory Service, File Replication Service, and DNS Server logs — should not exceed 300 MB.
http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e5e-514173bf15e31033.mspx?mfr=true
Mark
Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006
Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP;
Thu, 31 Aug 2006 04:12:18 +0100
Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100
Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org
(SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400
Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 -0000
Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain)
by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=pacbell.net;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPVR6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkHO6+PEuYRMiJ3/EUAyhoBySfo8= ;
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 30 Aug 2006 20:07:29 -0700
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Logging successful logons in AD security log
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk
Sender: [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts)
X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190]
X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details.
X-Spam-Tests-Failed: ROUTING [-1]
X-Note: This E-mail was sent from ([12.168.66.190]).
X-Rcpt-To: <[EMAIL PROTECTED]>
Ask the PSS security guys and they want success and failure. Only
having half the story... is only half the story....
Buy bigger harddrives and archive.
Sitton Glen E wrote:
> I don't know that there is a 'general consensus' because everyone's
> business needs differ. My environment has around 100K users and you're
> right, there's a ridiculously high volume of logon events. We set the
> security log size very high on the domain controllers, and collect and
> clear the security logs several times per day using a
> commercially-available "fancy log management system." We don't allow
> the security logs to rollover. The eventlog management software gives
> us an impressive battery of audit reports, and a compressed eventlog
> repository that we archive for FISMA compliance.
>
> I'm sure our uncompressed event log archive is well above 1TB per year.
> But we realize about a 20:1 compression using the commercial software.
>
> Your options may be limited by legal requirements that may govern the
> audit logs of your business or organization.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
> Joseph
> Sent: Wednesday, August 30, 2006 5:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Logging successful logons in AD security log
>
> That may work, but it sort of falls under option b. The logs will grow
> so large that they will become unmanageable. I did some calculations
> and it works out to be about 1TB a year.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
> Sent: Wednesday, August 30, 2006 3:06 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Logging successful logons in AD security log
>
> I have a pretty small site, and this probably won't scale very well, but
> I have a script scheduled to run every day at midnight that backs up the
> security log to a compressed folder & clears it. I have the log size set
> ridiculously high, so it doesn't rollover unexpectedly.
>
> dtmThisDay = Day(Date)
> dtmThisMonth = Month(Date)
> dtmThisYear = Year(Date)
> strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay &
> "_" & Hour(Time) & Minute(Time) strComputer = "."
> Set objWMIService = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _
> strComputer & "\root\cimv2")
> Set colLogFiles = objWMIService.ExecQuery _
> ("Select * from Win32_NTEventLogFile where LogFileName='Security'")
> For Each objLogfile in colLogFiles
> objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _
> "_security.evt")
> objLogFile.ClearEventLog()
> Next
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
> Joseph
> Sent: Wednesday, August 30, 2006 3:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Logging successful logons in AD security log
>
> What is the general consensus on logging successful logon events?
>
> For example if you have a domain with 100K users or so and you use AD as
> your primary authentication service for: application, file, email, and
> web access then it is plausible that you will end up with up to 100 log
> entries per second. That kind of volume will no doubt cause the logs to
> roll over frequently thus making them somewhat useless.
>
> The only alternatives I see are:
>
> a) Don't log success logon.
> b) Set your event log size to a very large (and possibly unmanageable)
> size.
> c) Invest in a fancy log management system that will collect, index, and
> retain all of your logs.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
- Re: [ActiveDir] Logging suc... Mark Parris
- RE: [ActiveDir] Loggin... Glenn Corbett
- RE: [ActiveDir] Lo... Wells, James Arthur
- RE: [ActiveDir... Grillenmeier, Guido
- RE: [Activ... Isenhour, Joseph
- Re: [ActiveDir... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir] Lo... David Adner
- RE: [ActiveDir] Lo... Akomolafe, Deji
- RE: [ActiveDir... Free, Bob
- RE: [Activ... David Adner
- RE: [... Free, Bob