No overwriting event log policy - How do you handle it?

edited July 2013 in General
I'm curious...

We have a policy of Application, Security and System logs are set to not overwrite. The idea is we are supposed to be offloading the events to another secure system. In our case it's this program called Event Sentry. Maybe you've heard of it?

I'm wondering how other people handle clearing out the event logs. Do you run a script of some sort or do you manually go in and delete the logs? Or are you using the 'EventLogFull' package?

I've barely touched the new 'EventLogFull' package except to do a global assign of the package and set the notification. But it's not finding the systems I know are full either. I assume it's looking for the 6000 eventid but I'm not getting those in my logs. They just fill up and stop. So no notifications are being sent.

I'm in the middle of a security audit so I can't look too closely at this but I wanted to bring it up.



  • An aside note.... can I point the backup logs to a file share? And what permissions does the file share need?

  • I got the file share working but it's wide open to everyone. It's hidden, but obscurity is not valid security. And changing the account on over 100 server agents (and counting) is not feasible and in our environment, might break a few things. You really should change this and add the ability to run as an account for things like this.

    In the meantime, I think I'm going to save the logs locally and then just push copies to my file server 30 minutes later. It's not ideal, but it will work.

  • Todd,

    My apologies for the late reply. Yes, obscurity is not a substitute for security. You can restrict the file share so that only the agents have access to it, by giving the computer accounts access to it. By default the agents run under the LocalSystem account, which is represented by the $ account name, e.g. SERVER01$.

    Since you have 100+ agents, it'd probably be easiest to create a group in AD, and put all the servers running agents into that group (if you don't have that already). You can then only give those machines permission to access the share. When adding the computer accounts to the group and/or share, just make sure you include computer accounts in the search by checking the appropriate check box in the Windows dialog.

    You can further enhance the security of the share by only giving the computer accounts write access. That way, the agents can save the event log backups to the share, but not read existing backups. Consequently, even if an account on one of the servers were compromised, it would still not allow for the existing backups to be read.

    We also have a KB article on this, it's a bit older but generally still applies:

    Let us know if that helps.
  • In regards to your other question, I think you already decided to use the event log backup feature, which I would have suggested.

    If you size your event logs sufficiently big, then a frequent backup of the event logs should work as expected.

    We also have plans to enhance the event log backup functionality, so that it can back up and clear the event logs automatically, when they are full.
Sign In or Register to comment.