Event logs archiving with GPO

In some environments the company policy requires that security logs of Domain Controllers are configured to retain information X days into the past. Requiring such a setting means 2 things:

  • You can not configure the Event Log to override events as needed (if the log reaches it’s maximal size)
  • The log file can grow to a rather large size (the default is 512KB, but if you retain logs you have probably changed that)

One of the things that can help you in this situation is automating the process of opening a new security log file when the maximum size limit is reached.
Below you will find an Administrative Template (.ADM file) that does exactly that: the moment the file size limit is reached, the server archives the security log and opens a fresh one.
I’ll quote:
Using this entry causes the Event Log service to automatically clear a full event log and to back-up the log file. On computers with the “CrashOnAuditFail” policy turned on, the computer continues to log events (instead of hanging because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in the %SystemRoot%\System32\Config folder. If you enable this setting, a full log file is automatically backed up in the %SystemRoot%\System32\Config folder, the log file is cleared, and event logging resumes.
If you are still wondering what I am talking about, lets have a look at the following example:

  1. The company’s policy requirement is to retain security events for 60 days.
  2. The environment is rather big and the logs quickly grow.
  3. You configure the maximum security log size to rather large number (maximum is 4GB), but still this is not enough to accommodate 60 days of events (and if you are not aware, if you hit the max size limit and your server is not configured to override the events as needed, the server will enter the “Crash” mode – it will stop providing services).
  4. Working with very large logs is very painful – the Event Viewer will just crawl.

So what do you do? You configure the maximum log size to rather reasonable number (lets say 128MB) and use the Administrative Template attached below to configure the server to open a new log when it hits the 128MB limit. The even log will be saved in %SystemRoot%\System32\Config folder with timestamp suffix and a new log will be opened.

You can later collect those files to a central location or configure a job to prune files older than 60 days.
Add the new Administrative Template to a new or to an existing GPO, then look for the settings under Computer Configuration > Administrative Templates > System > Event Viewer. The new settings are quite self explanatory.
add adm12 small1
Follow the steps outlined in the Adding New Administrative Templates to a GPO article on general instructions on how to add or remove an .ADM file from the Administrative Templates section in GPO.
Note: As with many custom Administrative Templates, you will need to remove the requirement to show policy settings that can be fully managed in the GPO editor.
Needless to say, as with any GPO setting, this option will only work on Windows 2000 operating systems and higher, and requires you to have an Active Directory in place.
Grab it from HERE (1kb)

Links

Guy’s Windowmaker’s Bloglink out ico