Event Log config via GPO

[paulhthomas]

Chaps, when configuring the event log properties manually, you have an option to "Archive the log when full, do not overwrite events".
When trying to do this via GPO, the only option around archiving you seem to have is to archive after x days.
The problem I have is my security event log (set to a max of 300mb, as per MS guidelines) on my domain controllers would fill up and need archiving multiple times per day.
I'm trying to find a way of pushing out the "local" setting via group policy. is it even possible?

Paul

Paul Thomas
MCITP Server 2008:Enterprise Administrator, VCP, MCSE 2003, MCSA: Messaging, MCITP: Vista, MCTS: Vista, N+, MCP

 

[kleinicus]

I would suggest that you just create a syslog server instead. Redirect the logs to the syslog server, and then you can set the local event logs to overwrite instead of archive.

 

[PScottC]

IMHO.... You're logging more information than you need to log. You need to either pare down your logging levels, or get SCOM or an equivalent analytical application that will extract the data for you. You, as human being, cannot do anything meaningful with 1GB+++/day of logs. You'll never be able to find an actual security incident by searching manually.

[URL unfurl="true"]http://blogs.msdn.com/b/ericfitz/archive/2005/01/11/350848.aspx[/url]

PSC
[—] CCNP [•] CCSP [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[paulhthomas]

Thanks for the reply PScottC.
Unfortuately we are logging a silly amount of data, but we're contractually bound to do so. We also have a 3rd party tool which will pulls the loggs off daily I believe (not been invoved with the product) but as the security log is getting overwritten I needed to archive them off as and when they get full.
I'm not logging that many different "types" of logs it's just that we've got 300 Solaris servers authenticating against AD, and this uses a bind account. and that logs everytime the Solaris box hits AD. annoying but, no way around it

Cheers

Paul Thomas
MCITP Server 2008:Enterprise Administrator, VCP, MCSE 2003, MCSA: Messaging, MCITP: Vista, MCTS: Vista, N+, MCP

 

[PScottC]

Ok... Hmm...

Since this is the 2008 forum, are all your DC's 2008? If so, look at event subscriptions. There is a hint in the configuration window that you might be able to use GPOs to configure it, but I can't find a reference to it in the GP Editor.

There are 3rd party tools out there that can asynchronously extract the logs and output them to file, SQL, or other destinations. I worked for a company that had written their own in VBScript using WMI. Unfortunately the VBScript/WMI solution will not work for you because it starts losing events when the rate hits about 100/second.

PSC
[—] CCNP (R&S/Wireless) [•] CCSP [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers