how large can I make the event log files without causing an issue?

Home Forums Server Operating Systems SBS 2000 / 2003 / 2008 / 2011 how large can I make the event log files without causing an issue?

This topic contains 5 replies, has 4 voices, and was last updated by Avatar EarthReactor 5 years, 10 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • Avatar
    davids355
    Member
    #163691

    I am doing some file access monitoring on sbs 2011. I have enabled file access auditing in group policy and also enabled the audit settings in some folders on the network that I need to monitor.

    It all seems to be working as expected, except that for 3 hours of logging it was taking up the 130MB limit set on the security event log in event viewer.

    I have now changed this to 2GB – think this will give me an estimated 2-3 days of logging.

    Is that 2GB limit likely to cause a problem, can I safely set it any higher??

    Avatar
    Ossian
    Moderator
    #189598

    Re: how large can I make the event log files without causing an issue?

    Subject to available disk space, large logs are no problem, but searching and filtering them will be
    You may wish to set up a scheduled task to run at midnight to export the log and clear it (link #3 here: https://www.google.co.uk/search?q=powershell+export+and+clear+event+log&sourceid=ie7&rls=com.microsoft:en-GB:IE-Address&ie=&oe=&gfe_rd=cr&ei=yM9wU_yOFo6JOqXugOgO)

    Avatar
    EarthReactor
    Member
    #377220

    Re: how large can I make the event log files without causing an issue?

    ^^thanks very much.
    Now I looked again, there is an option to set a limit, and have the logs archived when the limits are reached. I take it that should have the same effect?

    Avatar
    wullieb1
    Moderator
    #244742

    Re: how large can I make the event log files without causing an issue?

    davids355;283639 wrote:
    ^^thanks very much.
    Now I looked again, there is an option to set a limit, and have the logs archived when the limits are reached. I take it that should have the same effect?

    I’d be asking why the logs are getting so large in the first place.

    Avatar
    EarthReactor
    Member
    #377221

    Re: how large can I make the event log files without causing an issue?

    wullieb1;283686 wrote:
    I’d be asking why the logs are getting so large in the first place.

    I have set it up to archive the security log every 500MB.
    Its up to 4GB after about 3 days.

    I think the reason they are so big is that I have set it to audit every file action for all users for the main shared folder that the company uses! And the reason being is that someone is continuously, and accidentally, moving and or deleting client folders and they want to pinpoint who it is.

    Avatar
    wullieb1
    Moderator
    #244743

    Re: how large can I make the event log files without causing an issue?

    davids355;283687 wrote:
    I have set it up to archive the security log every 500MB.
    Its up to 4GB after about 3 days.

    I think the reason they are so big is that I have set it to audit every file action for all users for the main shared folder that the company uses! And the reason being is that someone is continuously, and accidentally, moving and or deleting client folders and they want to pinpoint who it is.

    Ahh yes. Auditing can and will smash your logs if you don’t watch what your logging ;)

    IMHO turn it on verbose for a short time and then manage from there once you see the types of events it logs.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.