Server 2008 R2 Domain Controller Security Log... Expand / Collapse
Author
Message
Posted 8/4/2014 1:26:26 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/4/2014 11:57:25 AM
Posts: 2, Visits: 0
Trying to wrap my head around some conflicting information. Across the web I see references for a maximum security log size of 300 MB (UltimateWindowsSecurity.com to 4 GB (Microsoft, probably more of a theoretical max). Many of the recommendations I found come in the middle (1-2 GB) with the caveat that filtering of the log may become problematic as it increases in size. Given I have a higher level of a trust in UltimateWindowsSecurity I decided to pose a question here.

Generally speaking our only interest in the log size increase is as a redundancy to SIEM agents failing (we've seen this regularly with one product and moved to a different product recently). Unfortunately some domain controllers (DC) generate a lot of log data and our current setting (200 MB) retains less than one day. We are interested in increasing the log size t to have 1 full day on the busiest DC as a fail-over. (We are using Advanced Audit to reduce the number of events recorded but certain locations have a high number of events).

While I know Randy has specified 300 MB several times as the maximum size for 2008 R2, I'm curious as to whether the only ill effect we might experience would be on the filtering end. If we can capture the data and not overly impact performance of the DC we could live with poor filtering performance (As it is a fail-over option). Wondering if anyone has comments regarding higher log sizes?
Post #1358
Posted 8/4/2014 6:28:45 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 183, Visits: 0
I have experience trying to filter through 12 million events on a domain controller in a day. At that quantity doing a search was nearly impossible. Queries would take an extremely long time or seemingly fail.
Post #1359
Posted 8/11/2014 5:11:26 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/4/2014 11:57:25 AM
Posts: 2, Visits: 0
That is the primary issue I am seeing others cite. However, given we have a SIEM this is mainly a fail-safe (it is highly unlikely we would filter on the DC). The SIEM's agent will pick-up the events if the issue is fixed, our problem is that given the short window it is unlikely we would fix the issue before we began losing logs (in some isntances). If our worst case is filtering issues that is a performance problem we could live with.
Post #1369
Posted 9/8/2014 6:35:25 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 183, Visits: 0
If your only worried about retaining logs and not actively using the event viewer to analyze them then I don't see an issue with the maximum storage size for logging. The 300mb is probably based on actively viewing the logs.
Post #1563
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:00am