Compartir a través de

Event Logging policy settings in Windows Server 2008 and Vista

  • Artículo

 Mike here again. Today I’m focusing on policy settings for the Event Logging Service.

For clarity, these settings control the Event Logging service; the service responsible for capturing and writing events throughout Windows. These policy settings do not affect the Event Viewer application.

These are some powerful policy settings that allow you to configure five settings for Application, Security, Setup, and System event logs. These categories and their policy settings are located under Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service.

The Log File Path policy setting, when enabled, allows you to provide a specific location where the Event Log service writes its log file. You must provided path and filename when relocating where Windows writes the log file.

Next is the Maximum Log file size policy. When enabled, this policy allows you to specify the maximum size of the event log. It supports sizes between one megabyte and two terabytes and uses one-kilobyte increments.

image

Figure 1 Event Log Service Policy Settings

The next two policy settings are related. The Event Logging service uses the Retain old events and Backup log automatically when full policy settings when the event log reaches the maximum file size (defaults to 20 MB or the value specified in the Maximum Log size policy setting). With the Retain Old Events policy setting enabled, the Event Logging service stops writing new events to the event log when the log file reaches or exceeds the maximum value and you lose all new events. With this policy setting disabled, new events overwrite old events. When you enabling the Backup log automatically when full and the Retain old events policy settings, the Event Log service closes the current event log, renames it, and then creates a new log. The Backup log automatically when full policy setting works only when you enable Retain old events policy setting.

image

Figure 2 Maximum Log Size Policy Setting

The last setting and one that I think is the most beneficial is the Log Access setting. Enabling this setting allows you to enter a security descriptor for the log file. The security descriptor controls who can read, write, or clear the event log. You enter the security descriptor using Security Definition Description Language (SDDL), which is document on MSDN(https://msdn.microsoft.com/library/en-us/secauthz/security/security_descriptor_string_format.asp). Also, my esteemed colleague Jim provides a two-part blog series about SDDL (https://blogs.technet.com/askds/archive/2008/04/18/the-security-descriptor-definition-language-of-love-part-1.aspx and https://blogs.technet.com/askds/archive/2008/05/07/the-security-descriptor-definition-language-of-love-part-2.aspx).

Finally, I should mention that these new policy settings have precedence over the older Windows Server 2003 and Windows XP security policy setting that manage Event Logs. Both settings can exist in the same Group Policy object and apply only to the respective operating systems for the policy setting.

image

These new policy settings for the Event Logging service provide more flexibility and control from earlier versions. Using Group Policy to control where event logs are written, how large they can grow, how they are preserved, and who can manage them are key to change control and security auditing. You can implement these policy settings in your existing Group Policy objects and they will not affect operating systems earlier than Windows Vista.

- Mike Stephens

Comments

  • Anonymous
    August 14, 2008
    Hi In the article you are wrote about option LogFilePath: "You only provide a path location; Windows maintains the file name." I checked this and if name of log file not entered - option does not working. In my lab this is working if option LogFilePath has a value: LogFilePath = c:<folder_name><file_name>.evtx If value is: LogFilePath = c:<folder_name> it not working. Thanks P.S. sorry for my english

  • Anonymous
    August 14, 2008
    The comment has been removed

  • Anonymous
    August 14, 2008
    Ask the Directory Services Team : MCS Talks Infrastructure Architecture joeware - never stop exploring…

  • Anonymous
    August 18, 2008
    135 Microsoft Team blogs searched, 70 blogs have new articles in the past 7 days. 177 new articles found

  • Anonymous
    August 18, 2008
    The comment has been removed

  • Anonymous
    August 18, 2008
    The comment has been removed

  • Anonymous
    August 19, 2008
    The comment has been removed

  • Anonymous
    August 19, 2008
    (Whoops - I gave a bad link last time - should have been: http://support.microsoft.com/kb/323076) I'm not 100% sure about your repro. It's possible that members of Administrators are special-cases to prevent them from being locked out of reading critical log info. Try again with your test user being only a domain user and not a member of all those other groups.

  • Anonymous
    November 27, 2008
    Good info - thanks. When I look at the properties of newly-built Windows 2008 server, the maximum log size dialog shows as 2048KB (2MB) and not 20MB as you indicate above. Tony

  • Anonymous
    October 19, 2010
    Hi Is there a policy GPO for a file ForwardedEvents.evtx? Or have to use the regedit? I want to move it to another disk. Thanks P.S. sorry for my english

  • Anonymous
    October 19, 2010
    You will need to edit the registry (in theory at least; I have no idea if this event log is allowed to be moved). But like all things, you could use Group Policy Preferences to handle this.

  • Anonymous
    November 30, 2010
    The comment has been removed

  • Anonymous
    November 30, 2010
    Hi, You will need to ask someone familiar with C# coding to debug your code. Since you've gotten the steps working with just the event viewer, I know the permissions are correct overall, or it would fail also.