Event Log Size

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Are there limits for the maximum event log size (either individual logs or
encompasing all of the logs)? I came across the following Q article:
Event log may not grow to configured size
http://support.microsoft.com/default.aspx?scid=kb;en-us;183097

At this time we are thinking about increasing the Security Event Log size on
our Domain Controllers and want to know if we should be concerned about what
we set the maximum size to. I'm only thinking to the 200-300 MB range
(system and app are currently set at 16 MB).
Any recomendations on the Security Event Log size for DC'?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I have not seen that KB and thanks for posting it. Obviously there is a
problem if they issued that KB. I would think it is best to abide by it and
keep the total size of all the logs below 300MB. According to their guidance
you should still be able to set your security log at 200MB if the other ones
are at 16MB. The other thing to consider is to not over audit. In general
you do not want to enable auditing of object access, process tracking,
directory access, and privilege use as a regular routine. Of course auditing
of object access is necessary if you are auditing any folders/printers and
directory access is necessary if auditing AD objects. --- Steve


"Onion" <Onion@discussions.microsoft.com> wrote in message
news:1BD420D4-960F-4E85-ADF1-3F129614B148@microsoft.com...
> Are there limits for the maximum event log size (either individual logs or
> encompasing all of the logs)? I came across the following Q article:
> Event log may not grow to configured size
> http://support.microsoft.com/default.aspx?scid=kb;en-us;183097
>
> At this time we are thinking about increasing the Security Event Log size
> on
> our Domain Controllers and want to know if we should be concerned about
> what
> we set the maximum size to. I'm only thinking to the 200-300 MB range
> (system and app are currently set at 16 MB).
> Any recomendations on the Security Event Log size for DC'?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In general the system and application logs on DC grow quite slowly
compared to the security log, for which it can be very hard to maintain
many days worth of events, depending on factors as what is audited and
size of domain vs number of controllers, etc.
One thing not mentioned in the KB you referenced is that the event logs
are handled as memory-mapped files, which means that for machines
with small amount of ram (not likely your situation) having large logs
can noticably cut into available physical/virtual memory.

You may find the following KB also of interest, particularly its mention
of issues when the security event log is in a size range of from 200 to
600 meg (which conflicts with the info in the KB you referenced) and
its outlining of how to configure the event logs for automatic backup.
http://support.microsoft.com/default.aspx?scid=kb;en-us;312571
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Onion" <Onion@discussions.microsoft.com> wrote in message
news:1BD420D4-960F-4E85-ADF1-3F129614B148@microsoft.com...
> Are there limits for the maximum event log size (either individual logs or
> encompasing all of the logs)? I came across the following Q article:
> Event log may not grow to configured size
> http://support.microsoft.com/default.aspx?scid=kb;en-us;183097
>
> At this time we are thinking about increasing the Security Event Log size
on
> our Domain Controllers and want to know if we should be concerned about
what
> we set the maximum size to. I'm only thinking to the 200-300 MB range
> (system and app are currently set at 16 MB).
> Any recomendations on the Security Event Log size for DC'?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

This link explains the limitation pretty good:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/5a86ab0f-c7eb-45ed-9e5e-514173bf15e3.mspx

It was (and still is to many) one of the best kept secrets of the event log
size limitation for many many years (problem exists from NT to all current
versions of Windows). It has been so elusive as I know of only 2 documents
that explain this limitation, while there is a plethora of
articles/KB's/whitepapers, etc that note the event log can be 'set' as large
as 4GB.

Essentially, calculate all log files to be no more than 300 MB in total.

GeeB

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

That does discuss it well.
Thanks for the link, as you are correct, it is little mentioned.

--
Roger Abell
Microsoft MVP (Windows Security)

"GeeB" <GeeB@newsgroup.nospam> wrote in message
news:uT8TqtbpFHA.3996@TK2MSFTNGP12.phx.gbl...
> This link explains the limitation pretty good:
>
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/5a86ab0f-c7eb-45ed-9e5e-514173bf15e3.mspx
>
> It was (and still is to many) one of the best kept secrets of the event
log
> size limitation for many many years (problem exists from NT to all current
> versions of Windows). It has been so elusive as I know of only 2 documents
> that explain this limitation, while there is a plethora of
> articles/KB's/whitepapers, etc that note the event log can be 'set' as
large
> as 4GB.
>
> Essentially, calculate all log files to be no more than 300 MB in total.
>
> GeeB
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

As the TechNet article indicates, the event log has been rewritten for
Windows Vista. It no longer used memory mapped files, and there is no hard
limit to log size except for disk space.

cheers
alex

--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Roger Abell" wrote:

> That does discuss it well.
> Thanks for the link, as you are correct, it is little mentioned.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "GeeB" <GeeB@newsgroup.nospam> wrote in message
> news:uT8TqtbpFHA.3996@TK2MSFTNGP12.phx.gbl...
> > This link explains the limitation pretty good:
> >
> >
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/5a86ab0f-c7eb-45ed-9e5e-514173bf15e3.mspx
> >
> > It was (and still is to many) one of the best kept secrets of the event
> log
> > size limitation for many many years (problem exists from NT to all current
> > versions of Windows). It has been so elusive as I know of only 2 documents
> > that explain this limitation, while there is a plethora of
> > articles/KB's/whitepapers, etc that note the event log can be 'set' as
> large
> > as 4GB.
> >
> > Essentially, calculate all log files to be no more than 300 MB in total.
> >
> > GeeB
> >
> >
>
>
>