Go Up
You are here: DeploymentConfigure IT InfrastructureActive DirectoryConfigure Security Event Log Size and Retention Settings

Adjusting Security Event Log Size and Retention Settings

Defining the Security event log size is essential for change auditing. If the log size is insufficient, overwrites may occur before data is written to the Long-Term Archive and the Audit Database, and some audit data may be lost.

To prevent overwrites, you can increase the maximum size of the Security event log and set retention method for this log to “Overwrite events as needed”.

To adjust your Security event log size and retention method, follow the procedure described below.

NOTE: To read about event log settings recommended by Microsoft, refer to this article.

To increase the maximum size of the Security event log and set its retention method

  1. Open the Group Policy Management console on any domain controller in the target domain: navigate to Start Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) Group Policy Management.

  2. In the left pane, navigate to Forest: <forest_name> Domains <domain_name> Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up menu.

  3. Navigate to Computer Configuration Policies Windows Settings Security Settings Event Log and double-click the Maximum security log size policy.

  4. In the Maximum security log size Properties dialog, select Define this policy setting and set maximum security log size to"4194240" kilobytes (4GB).

  5. Select the Retention method for security log policy. In the Retention method for security log Properties dialog, check Define this policy and select Overwrite events as needed.

  6. Navigate to Start Run and type "cmd". Input the gpupdate /force command and press Enter. The group policy will be updated.

Auto-archiving Security Log (optional)

If "Overwrite" option is not enough to meet your data retention requirements, you can use auto-archiving option for Security event log to preserve historical event data in the archive files. This option can be enabled centrally for all domain controllers, using the procedure described below. In such scenario, the logs will be automatically archived when necessary (no events will be overwritten).

To enable Security log auto-archiving centrally for all domain controllers

  1. Open the Group Policy Management console on any domain controller in the target domain: navigate to Start Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) Group Policy Management.

  2. In the left pane, navigate to Forest: <forest_name> Domains <domain_name> Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up menu.

  3. Navigate to Computer Configuration Policies. Right-click Administrative Templates: Policy definitions and select Add / Remove templates. Click Add in the dialog that opens.

  4. In the Policy Templates dialog, navigate to %Netwrix Auditor Server installation folder%/Active Directory Auditing, select the Log Autobackup.adm file (if the product is installed on a different computer, copy this file to the domain controller), and click Open to add the template.

  5. Navigate to Computer Configuration Policies Administrative Templates: Policy Definitions Windows Component Event Log Service Security. Do the following:

    On... Select... Set to...
    Windows Server 2012 or later
    • Back up log automatically when full
    • Control Event Log behavior when the log file reaches its maximum size

    "Enabled"

    Windows Server 2008 / 2008 R2

    • Back up log automatically when full
    • Retain old events

    "Enabled"

  6. Navigate to Start Run and type "cmd". Input the gpupdate /force command and press Enter. The group policy will be updated.

With the automatic log backup enabled, you may want to adjust the retention settings for log archives (backups). Default retention period for these files is 50 hours; when it expires, log archives are deleted. To adjust this setting, follow this procedure described below.

To configure the retention period for the backup logs

  1. On the computer where Netwrix Auditor Server is installed, open Registry Editor: navigate to Start Run and type "regedit".

  2. Navigate to HKEY_LOCAL_MACHINE SOFTWARE Wow6432Node Netwrix Auditor AD Change Reporter.

  3. In the right-pane, right-click and select New DWORD (32-bit Value).

    NOTE: For the backup logs retention functionality to work properly, you need to specify the CleanAutoBackupLogs name for the newly created registry value.

  4. Double-click CleanAutoBackupLogs. The Edit DWORD Value dialog will open.

    This value defines the time period (in hours) after which security event logs archives will be automatically deleted from the domain controllers. By default, it is set to "50" (decimal). Modify this value, if necessary, and click OK to save the changes.

    NOTE: If the CleanAutoBackupLogs registry value is set to "0", you will have to remove the old automatic backups manually, or you may run out of space on your hard drive.

Go Up