Windows 2000 log retention

From: Michael Dana-TM (Michael.Dana@telus.com)
Date: 02/11/02

• Previous message: Kelley John C. J9C548: "RE: Where would the changes be saved?"
• Next in thread: Frank Knobbe: "Re: Windows 2000 log retention"
• Reply: Frank Knobbe: "Re: Windows 2000 log retention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Michael Dana-TM <Michael.Dana@telus.com>
To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Mon, 11 Feb 2002 13:11:25 -0500

I'm looking for a few suggestions or thoughts on Event Log retention. I've
got a Win2K Active Directory with some domain controllers spread in
different places across Canada, and approximately 20,000 users. I have a
requirement to log all actions on the domain controllers, minus one or two
success entries, and retain those logs for a specific amount of time. Does
anyone have any thoughts on good ways of log retention in their environment.
So far, the best solutions I've come up with are:
1. Use a syslogd and a secure syslog server for an online storage of event
logs. Dump to tape after 'x' weeks.
2. Save Event Log to archive, and transfer archive to online storage. Dump
to tape after 'x' weeks.
The biggest problem I can see with it is that the file is constantly open
and being written to. Given the size of the environment, the log file has to
be fairly large, I'm estimating 2 gig for the security log file based on my
tests so far, and that should hold about 2 days worth of activity in my
estimation. Basically I want to get the smoothest data possible, with little
or no duplication of entries among archive files. I suppose I could use a
script to dump a specific date out of the log and archive it in a daily log
rotation or something.
Anyways, those are my ideas on it so far.. Does anyone have any ideas or
suggestions?
Thanks,
--MikeD

---

• Previous message: Kelley John C. J9C548: "RE: Where would the changes be saved?"
• Next in thread: Frank Knobbe: "Re: Windows 2000 log retention"
• Reply: Frank Knobbe: "Re: Windows 2000 log retention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: What are the best general things to do after a dirty shutdown (Server SBS) ... test network connectivity to local domain controllers. ... Directory Server Diagnosis ... Verifying that the local machine ALPHA, ... The File Replication Service Event log test ... (microsoft.public.windows.server.sbs) Re: What are the best general things to do after a dirty shutdown (Server SBS) ... You should check the dirctory services event log and the system event logs for errors and warning in addition to running the dcdiag /c /v command. ... This event can occur if the domain controllers ... Directory Server Diagnosis ... Verifying that the local machine ALPHA, ... (microsoft.public.windows.server.sbs) Re: What are the best general things to do after a dirty shutdown (Server SBS) ... You should check the dirctory services event log and the system event logs for errors and warning in addition to running the dcdiag /c /v command. ... This event can occur if the domain controllers ... Directory Server Diagnosis ... Verifying that the local machine ALPHA, ... (microsoft.public.windows.server.sbs) RE: Event log file is corrupt ... "The Event Log file is corrupted". ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) Re: Event log file is corrupt ... > "The Event Log file is corrupted". ... > Microsoft CSS Online Newsgroup Support ... > This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)