Managing the Event Viewer

Previous page
Table of content
Next page

Managing the Event Viewer

All OS security events in Windows NT, Windows 2000, and Windows XP are recorded in the Event Viewer security log. In addition, security-related events might be recorded in the application log and system log.

Before you enable audit policies, you must evaluate whether the default configuration of the log files in the Event Viewer are set properly for your organization. The default settings for the security event log are shown in Figure 12-1.

figure 12-1 security event log default settings

Figure 12-1. Security event log default settings

For each event log, you must determine the

  • Storage location

  • Maximum log file size

  • Overwrite behavior

Determining the Storage Location

By default, the security event log is stored in the %systemroot%\system32\ config\ directory in a file named SecEventevt. In Windows XP, you can change the log file location in the Properties dialog box. In Windows NT 4.0 and Windows 2000, you must edit the registry to change the storage location of each log file. The path and file name for the security log is stored in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security.

By default, only the System account and the Administrators group have access to the security event log to ensure that nonadministrators do not have access to read, write, or delete security events. If you move the log to a new location, ensure that the new file has the correct NTFS file system permissions. Because the Event Log service cannot be stopped, changes to this setting will not take place until after the server is rebooted.

Determining the Maximum Log File Size

By default, the maximum size that the security event log can reach before the overwrite behavior is initiated is 512 KB. Because hard disk space is more readily available now than in the past, you will likely want to increase this setting. How much you increase this setting depends on your overwrite behavior, but a general guideline is to set the maximum size to at least 50 MB. The maximum size that you should set an event log to is 300 MB. Each security event is 350 500 bytes, so a 10-MB event log will contain approximately 20,000 25,000 security events.

You can change the maximum size of the log file on individual computers in the security event log Properties dialog box or by editing the registry. You can also change the maximum log file size on many computers by using Group Policy security templates . The maximum size for the security event log is stored in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Eventlog\Security\MaxSize.

Configuring the Overwrite Behavior

When configuring the security event log settings, you must define what will happen when the maximum log file size is reached also known as the overwrite behavior. Windows NT 4.0 and later versions have three overwrite behavior settings:

  • Overwrite Events As Needed

    New events will continue to be written when the log is full. Each new event replaces the oldest event in the log.

  • Overwrite Events Older Than [x] Days

    Retain events in the log for the number of days you specify before overwriting events. The default is 7 days.

  • Do Not Overwrite Events

    New events will not be recorded, and the event log will need to be cleared manually.

In addition, you can configure the OS to shut down if security events cannot be written to the security audit log file. When this setting is enabled and events cannot be written to the security event log, the computer will initiate a stop error, commonly known as the Blue Screen of Death, with the following error message:

STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed

After this stop error has occurred, only members of the local Administrators group will be allowed to log on, to troubleshoot why the events cannot be written to the event log. Until events can be written to the event log, the computer will not operate normally. This is an important setting for high-security environments because it ensures that all security events are recorded. However, a large number of security events generated by an attacker or network problem could cause a denial-of-service condition. Similarly, shutting down the server might not necessarily be in accordance with availability service level agreements (SLAs). If your organization has high security needs and high availability needs, you should implement a method of removing auditing events from the system programmatically.

You can configure Windows NT 4.0 and later versions to shut down if security events cannot be logged, by setting the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ CrashOnAuditFail to 1.

Unless you have a centralized auditing system, such as the Microsoft Operations Manager or the Microsoft Auditing Control System, you will need to carefully evaluate which overwrite behavior settings are best for your organization. In general, you will want to ensure that the security event log size is large enough to record all events that occur between the archival of events.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Documenting Software Architectures: Views and Beyond
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy