-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all,
Consider the freeware tool from Sysinternals (www.sysinternals.com). The suite of PSTools (http://www.sysinternals.com/ntw2k/freeware/pstools.shtml) contain a small cmd-line utility called PSLoglist (http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml): "The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an Event Log on the local or a remote computer. PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides." I have this application scheduled to run every night (TaskScheduler) and dump the eventlogs to a file and automatically clear the logs. Yours sincerely, Matthijs van der Wel Project Manager Fox-IT Forensic IT Experts B.V. Oude Delft 47 2611 BC Delft The Netherlands ________________________________________________________ http://www.fox-it.com/engels/index.shtml ________________________________________________________ Phonenumber (general): +31 - 15 - 21 91 111 Phonenumber (direct): +31 - 15 - 21 91 124 Faxnumber: +31 - 15 - 21 91 100 ________________________________________________________ E-Mail Disclaimer This email may contain confidential information. If this message is not addressed to you, you may not retain or use the information in it for any purpose. If you have received it in error, please notify the sender and delete this message. We try to screen out viruses but take no responsibility if this email contains a virus. Van: Frank Knobbe [mailto:[EMAIL PROTECTED]] Verzonden: donderdag 14 februari 2002 5:00 Aan: Michael Dana-TM CC: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Onderwerp: Re: Windows 2000 log retention Mike, this is close to what I'm doing. I have all servers logging to syslog. Luckily, I can scrap a lot of events. Every night a batch file runs that splits the syslog file into several parts. The log for SMTP connections for example is only kept for a certain period. Remaining entries in 'the big log' are kept forever. When those logs get too big, I zip'em up (only happened once). At the end of the year they are all moved to CD. The Event viewer itself gets deleted after review. The System and App logs are 4 MB and Security 8 MB in size. Events are overwritten as needed. For you I would suggest: Definitely log to syslog and keep these. Smaller in size (compared to Event log files), easier to grep through and review. Easier to handle (files not locked). In addition, keep logging to Eventlog for a quick review of recent events. For record keeping, the Eventlog sucks though. Syslog gives you consolidation of all log types of all servers. This is also very useful for correlation of events. Regards, Frank On Mon, 2002-02-11 at 12:11, Michael Dana-TM wrote: > I'm looking for a few suggestions or thoughts on Event Log > retention. I've got a Win2K Active Directory with some domain > controllers spread in different places across Canada, and > approximately 20,000 users. I have a requirement to log all actions > on the domain controllers, minus one or two success entries, and > retain those logs for a specific amount of time. Does anyone have > any thoughts on good ways of log retention in their environment. So > far, the best solutions I've come up with are: > 1. Use a syslogd and a secure syslog server for an online storage > of event logs. Dump to tape after 'x' weeks. > 2. Save Event Log to archive, and transfer archive to online > storage. Dump to tape after 'x' weeks. > The biggest problem I can see with it is that the file is > constantly open and being written to. Given the size of the > environment, the log file has to be fairly large, I'm estimating 2 > gig for the security log file based on my tests so far, and that > should hold about 2 days worth of activity in my estimation. > Basically I want to get the smoothest data possible, with little or > no duplication of entries among archive files. I suppose I could > use a script to dump a specific date out of the log and archive it > in a daily log rotation or something. > Anyways, those are my ideas on it so far.. Does anyone have any > ideas or suggestions? > Thanks, > --MikeD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 Comment: Fox-IT Forensic Experts BV - Delft - The Netherlands iQCVAwUBPG0vLpPN/adeW3zxAQLOhQP8CvcBxK/KdBYcL663OkSeQgvWWStYkSUL q1MHmBLchLbGIuZvPFkG/LS0m5C8BNAcllaoyvQ9J5Q45QEivQb9NfCqm9g+yT// dhB2+1puf7eMyVf9B0LScWVomPt7vTymdTCPntxwS9qY2VPassXmsKHIs5KfmC+/ lNujPogRZRA= =Ujc/ -----END PGP SIGNATURE-----
