Announcement

Collapse
No announcement yet.

How to configure Event Log retention behaviour in XP SP2

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to configure Event Log retention behaviour in XP SP2

    I need to securely configure a stand - alone workstation that uses XP Pro SP2.
    There is a need to retain Event Log data about security-relevant evetns for eventual removal from the machine and off-line analysis/audit.
    I know the following aspects of the Event Log:
    a) there are 3 sections: system, security, application
    b) the sizes of the 3 sections can be independently configured
    c) the data retention behaviour of the 3 sections can be independently configured, please correct me if this is no longer true in XP SP2

    I can state that the only contents that need to be preserved are those of the 'security' section; there are no applications on the machine that exploit the API to the 'application' section. The 'system' section can be small and configured to 'wrap'.

    I have searched this forum. I have got lost more than once in the Byzantine labyrinth that is the Microsoft web, but I am unable to find useful information about configuring Event Log using the registry.

    Now, I have a recollection that the data retention behaviour (of any section, presumably) could be configured to be as follows:
    In sequence, when full:
    1. copy the contents to a <named directory>
    2. empty
    3. start to fill again ('wrap') - presumably with an event: "event log deleted [date, time]"
    Perhaps the argument for <named directory> was supplied by a related key (or an optional value in the same key)

    Please can someone provide the answers I seek:
    1. What are the registry entries that define Event Log data retention behaviour?
    2. Which values are used to configure which behaviour?
    3. Is my recollection of the superbly-uselful behaviour outlined above
    a) faulty?
    b) only applicable to Windows 2000Pro?
    4. Is there also a registry entry to configure a 'gas gauge' warning about the %age used of a fixed Event Log section store?

    Last edited by minorplayer; 22nd May 2007, 14:00.

  • #2
    Re: How to configure Event Log retention behaviour in XP SP2

    Originally posted by minorplayer View Post
    Now, I have a recollection that the data retention behaviour (of any section, presumably) could be configured to be as follows:
    In sequence, when full:
    1. copy the contents to a <named directory>
    2. empty
    3. start to fill again ('wrap') - presumably with an event: "event log deleted [date, time]"
    Perhaps the argument for <named directory> was supplied by a related key (or an optional value in the same key)
    It doesn't really work the way you described.
    How it works:
    -Specify a maximum size for the log
    -Specify overwrite settings (as needed, after a certain amount of days, or never)
    That's it. There's nothing that will clear the logs or copy them. (same in 2k, XP, and 2003)
    Click image for larger version

Name:	eventproperties.jpg
Views:	1
Size:	33.3 KB
ID:	463172

    Please can someone provide the answers I seek:
    1. What are the registry entries that define Event Log data retention behaviour?
    2. Which values are used to configure which behaviour?
    3. Is my recollection of the superbly-uselful behaviour outlined above
    a) faulty?
    b) only applicable to Windows 2000Pro?
    4. Is there also a registry entry to configure a 'gas gauge' warning about the %age used of a fixed Event Log section store?

    Why are you wanting to change it through the registry? Are you going to be changing the settings frequently? If so, why not use a script?
    There's scripts that can configure the event log.
    http://www.microsoft.com/technet/scr....mspx?mfr=true
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: How to configure Event Log retention behaviour in XP SP2

      J
      Thank you for the reply.
      My recollection of retention behaviour was - I am pretty sure - a Microsoft KB article - but you say it never was...
      Why Registry? I want to configure it once and never change it.
      Any answer to my Q4?

      Comment


      • #4
        Re: How to configure Event Log retention behaviour in XP SP2

        Originally posted by minorplayer View Post
        4. Is there also a registry entry to configure a 'gas gauge' warning about the %age used of a fixed Event Log section store?
        Not that I know of. But you could use a script to check the size and alert you if it exceeds n.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: How to configure Event Log retention behaviour in XP SP2

          love the way you ignore my reply about scripting and then suggest a script as an answer to the supplemental question!

          Comment


          • #6
            Re: How to configure Event Log retention behaviour in XP SP2

            Originally posted by minorplayer View Post
            love the way you ignore my reply about scripting and then suggest a script as an answer to the supplemental question!
            I'm sorry for misunderstanding you. I thought that "Q4" referred to the 4th question in your initial post.

            Could you maybe reword your question or just wait for someone else that has a better grasp than myself. I'm here to help as best I can but there's a lot I don't know or understand.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: How to configure Event Log retention behaviour in XP SP2
              Last edited by bcastner; 14th June 2007, 05:54.
              * Users Helping Users *
              MS-MVP Windows Networking

              Comment


              • #8
                Re: How to configure Event Log retention behaviour in XP SP2

                Thank you very much bcastner!
                KB312571 is the very article that I was looking for...
                I really thought I was going mad
                The 3rd party tool also looks interesting

                Comment

                Working...
                X