Step-By-Step Guides  
 

Step-By-Step Guides

Article created 2003-05-12 by Rainer Gerhards.

Configuring Windows for the Event Log Monitor

The event log monitor service pulls events from the Windows event logs. In Windows' default setup, the information contained in the logs is sparse and far from sufficient for security monitoring. If you are solely interested in checking system health, the default setting can be sufficient. If you are interested in security monitoring, you definitely need to change some settings in order to receive a useful result. This will be described in detail later in this section.

No matter what your logging needs are, you need to change the log file overwrite mode. Windows uses a circular buffer for each event log. Once the log file maximum size is reached, whenever a new event is written, an old one is overwritten. This is no problem if the log file size is large enough – and the default typically is – because the event log monitor retrieves log entries on a regular basis and forwards them to the configured destination. As such, no event is lost when an old one is overwritten. However, in default setup, Windows will stop writing events to the event logs when these logs are full and events younger than 7 days would be overwritten. Windows indicates this by placing a respective event into the system log , which of course will not help us retrieve any of the lost logs.

As such, we highly recommend that the log mode is set to "Overwrite as needed" instead to "Overwrite after 7 Days". In addition, we recommend extending the size of the event log files to 10 to 20 MB. This is just a security precaution – but with today's hard disk sizes it does not really matter if 100 MB or so are set aside as an additional buffer for unusual high log activity.

Please note that the CERT advises to increase the log size but also advises not to allow Windows to overwrite the log files. Adiscon's recommendation is not in contrast to the CERT advisory as the event log monitor takes care of the events before they can be overwritten. And, once to repeat, not allowing to overwrite logs can lead to lost log entries, even is a large amount of log space is set aside. A malicious user might first generate a massive amount of log data before the actual attack is carried out.

MonitorWareConsole
 Home
 The Products
General Information
MonitorWare Products
Which one to Purchase?
Order and Pricing
Upgrade Insurance Info
News Releases
Version History
Product Tour
 - Screenshots
 Event Repository
 Download
 Reference library
Common Uses
Centralized monitoring
Security Reference
 Help
Step by Step Guides
Support
Manual
FAQ
 - All
 - General questions
 - Configurations related
 - Monitorware Agent
 - Monitorware Console
Articles
Seminars Online
 - All
 - General
 - MonitorWare Console
 - MonitorWare Agent
 - WinSyslog related
 - EventReporter
 Order & pricing
Order now
Pricing Information
Upgrade Insurance Info
Local Reseller
 Contact Us
 Search
 
 



Printer Version Send this page to a friend

Copyright © 1988-2005 Adiscon GmbH All rights reserved.
Contact us via Secure Web Response | Privacy Policy
Topic Links: syslog | Free Weblinks Directory