Event Log Policy Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Event Log
The Event Log service records events on the system by writing to one of three default logs that you can read in Event Viewer: the security, application, and system logs. The security log records audit events. You use the settings under Event Log to specify attributes of the security, application, and system logs, such as maximum log size, access rights for each log, and retention settings and methods.
Event Log policy settings can be configured in the following location in Group Policy Object Editor:
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Maximum event log size (settings for application, security and system logs)
Note
- Misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
These policy settings specify the maximum size of the application, security, and system logs. Although you can specify values as large as 4 GB in Group Policy Object Editor and Event Viewer, there are factors that make the effective maximum size for these logs much smaller.
The Event Log service uses memory-mapped files, and it runs as Eventlog.dll, one of the services under the Services.exe process. When files are loaded in this way, the entire file is loaded into system memory. All of the current versions of Windows have an architectural limitation regarding memory-mapped files: no process can have more than 1 GB of memory-mapped files in total. This means that all of the services running under the Services.exe process must share the 1-GB pool. The memory is assigned as contiguous 64-KB chunks of memory. If the system is unable to assign additional memory needed to expand memory-mapped files, problems will arise.
For the Event Log service, this means that regardless of how large the log has been configured to be, events might no longer be written to the log. Error messages will not be displayed. The events will simply not appear in the event log, or they might overwrite other events that have been recorded previously. Fragmentation of the log files in memory has also been shown to lead to significant performance problems on busy systems.
Due to these limitations — even though the theoretical limit for memory-mapped files suggests that you should be able to configure up to 1 GB for all the event logs, and you can actually specify as much as 4 GB per log — Microsoft has verified that the practical size limit for all event logs combined is around 300 megabytes (MB) on most servers. On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs — plus the Directory Service, File Replication Service, and DNS Server logs — should not exceed 300 MB.
These limitations have caused problems for some Microsoft customers, but addressing them will require fundamental changes to the architecture for recording system events. Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up.
Although you will need to use trial and error to determine the best log size for a particular server, you can use the fact that the average event writes about 500 bytes to each log. Estimate the average number of events generated each day for each type of log in your enterprise. Remember that log file sizes must be a multiple of 64 KB.
For example, if your file server generates 5,000 events per day in its security log and you want to ensure that you have at least four weeks of data available at all times, you want to set the size of that log to about 70 MB (500 bytes 5,000 events/day 28 days = 70,000,000 bytes.) Then, check the servers occasionally over the following four weeks to verify that the logs are retaining enough events. Event log size and log wrapping should be configured to match the business and security requirements you determined when you designed your enterprise security plan.
The possible values for this Group Policy setting are:
- A user-defined number of kilobytes from 64 through 4,194,240; however, it must be a multiple of 64.
If you significantly increase the number of objects to audit in your organization, you run the risk of filling the security log to capacity and thus forcing the system to shut down. If this occurs, the system will be unusable until an administrator clears the security log. To prevent this, disable the Audit: Shut down system immediately if unable to log security audits policy setting and increase the security log size.
All computers in your organization should have sensible log size policy settings enabled so that legitimate users can be held accountable for their actions, unauthorized activity can be detected and tracked, and system problems can be detected and diagnosed.
When event logs fill to capacity, entries can no longer be written to them unless the retention method for each is set so that the system will overwrite the oldest entries with the most recent ones. The risk of the event logs’ not containing recent entries can be mitigated by setting the retention method so that older events are overwritten as needed. The consequence of this action is that older events will be removed from the logs. Attackers can use this to their advantage by generating a large number of extraneous events to overwrite any evidence of their attack.
Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities.
Maximum application log size
Note
- Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
16384 KB |
DC Effective Default Settings |
16384 KB |
Member Server Effective Default Settings |
16384 KB |
Maximum security log size
Note
- Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
16384 KB |
DC Effective Default Settings |
16384 KB |
Member Server Effective Default Settings |
16384 KB |
Maximum system log size
Note
- Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
16384 KB |
DC Effective Default Settings |
16384 KB |
Member Server Effective Default Settings |
16384 KB |
Prevent local guests group from accessing application log
The Prevent local guests group from accessing application log policy setting determines whether guests are prevented from accessing the application log.
The possible values for this Group Policy setting are:
Enabled.
Disabled.
Not defined.
Discussion
An attacker who has successfully logged on to a computer with guest user rights can learn important information about the system by viewing the application log. The attacker might then use this information to launch additional attacks.
It is advisable to enable this policy setting.
This policy setting does not appear in the Local Computer Policy object. It only affects computers running Windows 2000, Windows XP, and Windows Server 2003.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Not defined |
DC Effective Default Settings |
Enabled |
Member Server Effective Default Settings |
Enabled |
Prevent local guests group from accessing security log
The Prevent local guests group from accessing security log policy setting determines whether guests are prevented from accessing the security log.
The possible values for this Group Policy setting are:
Enabled.
Disabled.
Not defined.
Discussion
An attacker who has successfully logged on to a computer with guest user rights can learn important information about the system by viewing the security log. The attacker might then use this information to launch additional attacks.
It is advisable to enable this policy setting.
This policy setting does not appear in the Local Computer Policy object. It only affects computers running Windows 2000,Windows XP, and Windows Server 2003.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Not defined |
DC Effective Default Settings |
Enabled |
Member Server Effective Default Settings |
Enabled |
Prevent local guests group from accessing system log
The Prevent local guests group from accessing system log policy setting determines whether guests are prevented from accessing the system log.
The possible values for this Group Policy setting are:
Enabled.
Disabled.
Not defined.
Discussion
An attacker who has successfully logged on to a computer with guest user rights can learn important information about the system by viewing the system log. The attacker might then use this information to launch additional attacks.
It is advisable to enable this policy setting.
This policy setting does not appear in the Local Computer Policy object. It only affects computers running Windows 2000,Windows XP, and Windows Server 2003.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Not defined |
DC Effective Default Settings |
Enabled |
Member Server Effective Default Settings |
Enabled |
Retain application log
The Retain application log policy setting determines how many days’ worth of events to retain, if the retention method specified for the log is By Days.
The possible values for this Group Policy setting are:
A user-defined number of days from 1 through 365.
Not defined.
Discussion
If you archive the log at scheduled intervals, in the property sheet for this policy setting, specify the appropriate number of days and select Overwrite events by days for the event log retention method. Also, ensure that the maximum log size is large enough to accommodate the amount of information you want to gather during the archive interval.
It is advisable to set the value of the Retain event logs policy setting for all three event logs to Not defined.
This policy setting does not appear in the Local Computer Policy object. A user must have been assigned the Manage auditing and security log user right to access the security log.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Not defined |
DC Effective Default Settings |
Not defined |
Member Server Effective Default Settings |
Not defined |
Retain security log
The Retain security log policy setting determines how many days’ worth of events to be retained, if the retention method specified for the log is By Days.
The possible values for this Group Policy setting are:
A user-defined number of days from 1 through 365.
Not defined.
Discussion
If you archive the log at scheduled intervals, in the property sheet for this policy setting, specify the appropriate number of days and select Overwrite events by days for the event log retention method. Also, ensure that the maximum log size is large enough to accommodate the amount of information you want to gather during the archive interval.
It is advisable to set the value of the Retain event logs policy setting for all three event logs to Not defined.
This policy setting does not appear in the Local Computer Policy object. A user must have been assigned the Manage auditing and security log user right to access the security log.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Not defined |
DC Effective Default Settings |
Not defined |
Member Server Effective Default Settings |
Not defined |
Retain system log
The Retain system log policy setting determines how many days’ worth of events to be retained, if the retention method specified for the log is By Days.
The possible values for this Group Policy setting are:
A user-defined number of days from 1 through 365.
Not defined.
Discussion
If you archive the log at scheduled intervals, in the property sheet for this policy setting, specify the appropriate number of days and select Overwrite events by days for the event log retention method. Also, ensure that the maximum log size is large enough to accommodate the amount of information you want to gather during the archive interval.
It is advisable to set the value of the Retain event logs policy setting for all three event logs to Not defined.
This policy setting does not appear in the Local Computer Policy object. A user must have been assigned the Manage auditing and security log user right to access the security log.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Not defined |
DC Effective Default Settings |
Not defined |
Member Server Effective Default Settings |
Not defined |
Retention method for event log (separate policy settings for application, security and system logs)
Note
- Misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
The Retention method for event log policy settings determine the wrapping method for the application, security, and system logs.
If you do not want to archive the logs, in the property sheet for this policy setting, select the Define this policy setting check box, and then click Overwrite events as needed.
If you want to archive the log at scheduled intervals, in the property sheet for this policy setting, select the Define this policy setting check box, click Overwrite events by days, and then specify the appropriate number of days in the Retain application log policy setting. Ensure that the maximum log size is large enough to accommodate the amount of information you expect to gather during the archive interval.
If you must retain all the events in the log, in the property sheet for this policy setting, select the Define this policy setting check box, and then click Do not overwrite events (clear log manually). This value requires that the log be cleared manually. When the maximum log size is reached, new events are not written to the log, they are discarded.
The possible values for these Group Policy settings are:
Overwrite events by days.
Overwrite events as needed.
Do not overwrite events (clear log manually).
Not defined.
These policy settings do not appear in the Local Computer Policy object.
If you significantly increase the number of objects you audit in your organization, you run the risk of filling the security log to capacity and thus forcing the system to shut down. If this occurs, the system will be unusable until an administrator clears the security log. To prevent this, disable the Audit: Shut down system immediately if unable to log security audits policy setting and then increase the security log size.
If you set the value of Event log retention method to Do not overwrite events (clear log manually) or Overwrite events by days, important recent events might not be recorded, or you might suffer a denial-of-service attack.
It is advisable to set Event log retention method for all three event logs to the value Overwrite events as needed. Some resources recommend configuring this policy setting to Do not overwrite events (clear log manually); however, the administrative burden that this setting imposes is too high for most organizations. Ideally, all significant events will be sent to a monitoring server by using MOM or some other automated monitoring tool.
Retention method for application log
Note
- Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Overwrite as needed |
DC Effective Default Settings |
Overwrite as needed |
Member Server Effective Default Settings |
Overwrite as needed |
Retention method for security log
Note
- Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Overwrite as needed |
DC Effective Default Settings |
Overwrite as needed |
Member Server Effective Default Settings |
Overwrite as needed |
Retention method for system log
Note
- Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Default Values
| Server Type or GPO | Default Value |
|---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Overwrite as needed |
DC Effective Default Settings |
Overwrite as needed |
Member Server Effective Default Settings |
Overwrite as needed |