Maximum log size should be set to any kind of event logs, as part of your security policy. This configuration’s value is highly important for detecting attacks and investigating their source. Allocating insufficient storage space will lead to information loss of what happened in the network, therefore breaches could remain undetected. The following article will present everything you need to know about configuring maximum security log size.
This policy requires Windows Vista or later versions of Windows. This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure this policy setting, the maximum size of the log file maximum size will be set to the local configuration value. This value can be changed by the local administrator using the log properties dialog and it defaults to 20 megabytes. For backward compatibility, the same setting can also be configured at Computer Configuration\Windows Settings\Security Settings\Event Log, if set at both locations this one will take precedence.
If you significantly increase the number of objects to audit in your organization, there is a risk that the Security log will reach its capacity and force the computer to shut down if you enabled the Audit: Shut down system immediately if unable to log security audits setting. If such a shutdown occurs, the computer will be unusable until an administrator clears the Security log. To prevent such a shutdown, you can disable the Audit: Shut down system immediately if unable to log security audits setting that is described in Chapter 5, “Security Options,” and increase the Security log size. Alternatively, you can configure automatic log rotation.
You should enable sensible log size policies for all computers in your organization so that legitimate users can be held accountable for their actions, an unauthorized activity can be detected and tracked, and computer problems can be detected and diagnosed.
When event logs reach capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones.
The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration by generating a large number of extraneous events to overwrite any evidence of their attack. These risks can be reduced if you automate the archival and backup of event log data.
Ideally, all specifically monitored events should be sent to a server that uses an automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker’s activities.
CIS recommended value: 196608 KB
CalCom’s recommended value: 196608 KB
The Event Log files don’t take up a lot of disk space (e.g., the System event log by default only uses 16MB), but you can adjust the size of an event log so that it uses more or less disk space depending upon your needs.
HOW TO CONFIGURE THE SECURITY EVENT LOG:
- Log in to the computer using a user account with domain administrator privileges.
- Open a command prompt, type gpmc.msc and press Enter to start the Group Policy Management Console.
- Expand Forest > Domains > domainName > Domain Controllers.
- Right-click Default Domain Controllers Policy, and then click Edit.
- Expand Computer configuration > Policies > Windows Settings > Security Settings.
- Select Event Log and configure Maximum security log size to a size of no less than 196608 KB.
- Configure Retention method for security log to Overwrite events as needed.
- Return to the command prompt, type gpUpdate, and then press Enter.
To verify this configuration and ensure Active Directory events are not discarded before processing:
- Open a command prompt as an administrator.
- At the command line, type eventvwr to start the Event Viewer.
- In Windows logs, right-click Security, and select Properties.
- Verify the settings reflect a maximum log size of no less than 196608 KB, and the selection to Overwrite events as needed.
AUTOMATE YOUR SERVER HARDENING:
Server hardening can be a painful procedure. If you’re reading this article, you probably already know it. Endless hours, labor and money are invested in this process, which can often result in production breakdown despite the effort to prevent it. CSH by CalCom is automating the entire server hardening process. CHS’s unique ability to ‘learn’ your network abolishes the need to perform lab testing while ensuring zero outages to your production environment. CHS will allow you to implement your policy directly on your production hassle-free. want to know more?