Event Log Size

G

Guest

Are there limits for the maximum event log size (either individual logs or
encompasing all of the logs)? I came across the following Q article:
Event log may not grow to configured size
http://support.microsoft.com/default.aspx?scid=kb;en-us;183097

At this time we are thinking about increasing the Security Event Log size on
our Domain Controllers and want to know if we should be concerned about what
we set the maximum size to. I'm only thinking to the 200-300 MB range
(system and app are currently set at 16 MB).
Any recomendations on the Security Event Log size for DC'?
 
S

Steven L Umbach

I have not seen that KB and thanks for posting it. Obviously there is a
problem if they issued that KB. I would think it is best to abide by it and
keep the total size of all the logs below 300MB. According to their guidance
you should still be able to set your security log at 200MB if the other ones
are at 16MB. The other thing to consider is to not over audit. In general
you do not want to enable auditing of object access, process tracking,
directory access, and privilege use as a regular routine. Of course auditing
of object access is necessary if you are auditing any folders/printers and
directory access is necessary if auditing AD objects. --- Steve
 
R

Roger Abell

In general the system and application logs on DC grow quite slowly
compared to the security log, for which it can be very hard to maintain
many days worth of events, depending on factors as what is audited and
size of domain vs number of controllers, etc.
One thing not mentioned in the KB you referenced is that the event logs
are handled as memory-mapped files, which means that for machines
with small amount of ram (not likely your situation) having large logs
can noticably cut into available physical/virtual memory.

You may find the following KB also of interest, particularly its mention
of issues when the security event log is in a size range of from 200 to
600 meg (which conflicts with the info in the KB you referenced) and
its outlining of how to configure the event logs for automatic backup.
http://support.microsoft.com/default.aspx?scid=kb;en-us;312571
 
G

GeeB

This link explains the limitation pretty good:

http://www.microsoft.com/technet/pr...Ref/5a86ab0f-c7eb-45ed-9e5e-514173bf15e3.mspx

It was (and still is to many) one of the best kept secrets of the event log
size limitation for many many years (problem exists from NT to all current
versions of Windows). It has been so elusive as I know of only 2 documents
that explain this limitation, while there is a plethora of
articles/KB's/whitepapers, etc that note the event log can be 'set' as large
as 4GB.

Essentially, calculate all log files to be no more than 300 MB in total.

GeeB
 
R

Roger Abell

That does discuss it well.
Thanks for the link, as you are correct, it is little mentioned.
 
G

Guest

As the TechNet article indicates, the event log has been rewritten for
Windows Vista. It no longer used memory mapped files, and there is no hard
limit to log size except for disk space.

cheers
alex
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security event log exceeds configured size limit 0
Eventlog stops logging before the maximum size reaches 1
Event ID 577 & 578 are filling Security Event Logs 8
Auditing Logons and Logoffs 1
Event log issues 1
Setting Event Log Size setting 1
Extending the Sytem Event Log 1
Unable to change Event Viewer Log Size 1

Top