Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e 5e-514173bf15e31033.mspx?mfr=true Mark ________________________________ Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 -0000 Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkHO6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: <[EMAIL PROTECTED]> Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story.... Buy bigger harddrives and archive. Sitton Glen E wrote: > I don't know that there is a 'general consensus' because everyone's > business needs differ. My environment has around 100K users and you're > right, there's a ridiculously high volume of logon events. We set the > security log size very high on the domain controllers, and collect and > clear the security logs several times per day using a > commercially-available "fancy log management system." We don't allow > the security logs to rollover. The eventlog management software gives > us an impressive battery of audit reports, and a compressed eventlog > repository that we archive for FISMA compliance. > > I'm sure our uncompressed event log archive is well above 1TB per year. > But we realize about a 20:1 compression using the commercial software. > > Your options may be limited by legal requirements that may govern the > audit logs of your business or organization. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > Joseph > Sent: Wednesday, August 30, 2006 5:32 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > That may work, but it sort of falls under option b. The logs will grow > so large that they will become unmanageable. I did some calculations > and it works out to be about 1TB a year. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris > Sent: Wednesday, August 30, 2006 3:06 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > I have a pretty small site, and this probably won't scale very well, but > I have a script scheduled to run every day at midnight that backs up the > security log to a compressed folder & clears it. I have the log size set > ridiculously high, so it doesn't rollover unexpectedly. > > dtmThisDay = Day(Date) > dtmThisMonth = Month(Date) > dtmThisYear = Year(Date) > strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & > "_" & Hour(Time) & Minute(Time) strComputer = "." > Set objWMIService = GetObject("winmgmts:" _ > & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ > strComputer & "\root\cimv2") > Set colLogFiles = objWMIService.ExecQuery _ > ("Select * from Win32_NTEventLogFile where LogFileName='Security'") > For Each objLogfile in colLogFiles > objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ > "_security.evt") > objLogFile.ClearEventLog() > Next > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > Joseph > Sent: Wednesday, August 30, 2006 3:10 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Logging successful logons in AD security log > > What is the general consensus on logging successful logon events? > > For example if you have a domain with 100K users or so and you use AD as > your primary authentication service for: application, file, email, and > web access then it is plausible that you will end up with up to 100 log > entries per second. That kind of volume will no doubt cause the logs to > roll over frequently thus making them somewhat useless. > > The only alternatives I see are: > > a) Don't log success logon. > b) Set your event log size to a very large (and possibly unmanageable) > size. > c) Invest in a fancy log management system that will collect, index, and > retain all of your logs. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
