Mike, this is close to what I'm doing. I have all servers logging to syslog. Luckily, I can scrap a lot of events. Every night a batch file runs that splits the syslog file into several parts. The log for SMTP connections for example is only kept for a certain period. Remaining entries in 'the big log' are kept forever. When those logs get too big, I zip'em up (only happened once). At the end of the year they are all moved to CD.
The Event viewer itself gets deleted after review. The System and App logs are 4 MB and Security 8 MB in size. Events are overwritten as needed. For you I would suggest: Definitely log to syslog and keep these. Smaller in size (compared to Event log files), easier to grep through and review. Easier to handle (files not locked). In addition, keep logging to Eventlog for a quick review of recent events. For record keeping, the Eventlog sucks though. Syslog gives you consolidation of all log types of all servers. This is also very useful for correlation of events. Regards, Frank On Mon, 2002-02-11 at 12:11, Michael Dana-TM wrote: > I'm looking for a few suggestions or thoughts on Event Log retention. I've > got a Win2K Active Directory with some domain controllers spread in > different places across Canada, and approximately 20,000 users. I have a > requirement to log all actions on the domain controllers, minus one or two > success entries, and retain those logs for a specific amount of time. Does > anyone have any thoughts on good ways of log retention in their environment. > So far, the best solutions I've come up with are: > 1. Use a syslogd and a secure syslog server for an online storage of event > logs. Dump to tape after 'x' weeks. > 2. Save Event Log to archive, and transfer archive to online storage. Dump > to tape after 'x' weeks. > The biggest problem I can see with it is that the file is constantly open > and being written to. Given the size of the environment, the log file has to > be fairly large, I'm estimating 2 gig for the security log file based on my > tests so far, and that should hold about 2 days worth of activity in my > estimation. Basically I want to get the smoothest data possible, with little > or no duplication of entries among archive files. I suppose I could use a > script to dump a specific date out of the log and archive it in a daily log > rotation or something. > Anyways, those are my ideas on it so far.. Does anyone have any ideas or > suggestions? > Thanks, > --MikeD
signature.asc
Description: This is a digitally signed message part