This article applies to:
Question:
Configuring AD Security Logs
Reply
One of the first things you should do after you install a new Windows system is configure the event logs on that system. This is particularly important for servers where event logs can provide critical information to help you troubleshoot when things go wrong. Before we look at how to configure event logs, we need some background information on the different logs available, and Table 1 provides this below:
|
Event log |
Log file |
Function |
Availability |
|
Application log |
AppEvent.evt |
Records events as determined by each software vendor |
All Windows systems |
|
Security log |
SecEvent.evt |
Records events based on how audit policy is configured |
All Windows systems |
|
System log |
SysEvent.evt |
Records events for Windows operating system components |
All Windows systems |
|
Directory Service log |
NTDS.evt |
Records events for Active Directory |
Domain controllers only |
|
DNS Server log |
DnsEvent.evt |
Records events for DNS servers and name resolution |
DNS servers only |
|
File Replication Service log |
NtFrs.evt |
Records events for domain controller replication |
Domain controllers only |
Table 1: Summary of Windows event logs
By default all event logs are:
- Stored in the %Windir%\system32\config folder
- Have a maximum size of 16 MB (Windows Server 2003) or 512 KB (Windows 2000/XP)
- Overwrite events more than 7 days old
Figure 1: Default configuration of DNS Server event log on a Windows Server 2003 DNS server.
Before you put your new Windows server into production, you should decide if these default settings are appropriate. Suggested best practices for configuring event logs on servers include the following:
- Increase the size of each event log to at least 50 MB. Since a typical event is about half a kilobyte in size, this means you’ll be able to store 100,000 events in each log. Note that the maximum supported size of each event log is about 300 MB. If your system drive has insufficient space for your event logs, you can move them to a separate volume by editing the subkey for each log under the HKLM\SYSTEM\CurrentControlSet\Services\Eventlog using Registry Editor, see Microsoft Knowledge Base article 315417 for more information.
- Change the overwrite behavior for the Security log to Do Not Overwrite Events if your enterprise is a high security environment. That way if the Security log fills up the system will shut down to ensure that no events in the Security log are lost. If you do this, make sure you also archive and then clear your Security log regularly to prevent such a shutdown from occurring unexpectedly.
- Change the overwrite behavior for the other event logs to Overwrite Events As Needed so that no overwriting occurs until the entire log becomes full. Again, be sure to regularly archive and clear your event logs to prevent the log from filling up and losing events because of overwrites.
If you have a number of computers and are running Active Directory on your network, you can also use Group Policy to configure event log settings. These settings are found under Computer Configuration/Windows Settings/Security Settings/Event Log in Group Policy Object Editor:
Figure 2: Group Policy settings for configuring event logs.
- This article was previously published as:
- 8e6 KB 301865