Configuring Windows for the Event Log Monitor

Article created 2003-05-12 by Rainer Gerhards.

Configuring Windows for the Event Log Monitor

The event log monitor service pulls events from the Windows event logs. In Windows’ default setup, the information contained in the logs is sparse and far from sufficient for security monitoring. If you are solely interested in checking system health, the default setting can be sufficient. If you are interested in security monitoring, you definitely need to change some settings in order to receive a useful result. This will be described in detail later in this section.

No matter what your logging needs are, you need to change the log file overwrite mode. Windows uses a circular buffer for each event log. Once the log file maximum size is reached, whenever a new event is written, an old one is overwritten. This is no problem if the log file size is large enough – and the default typically is – because the event log monitor retrieves log entries on a regular basis and forwards them to the configured destination. As such, no event is lost when an old one is overwritten. However, in default setup, Windows will stop writing events to the event logs when these logs are full and events younger than 7 days would be overwritten. Windows indicates this by placing a respective event into the system log , which of course will not help us retrieve any of the lost logs.

As such, we highly recommend that the log mode is set to “Overwrite as needed” instead to “Overwrite after 7 Days”. In addition, we recommend extending the size of the event log files to 10 to 20 MB. This is just a security precaution – but with today’s hard disk sizes it does not really matter if 100 MB or so are set aside as an additional buffer for unusual high log activity.

Please note that the CERT advises to increase the log size but also advises not to allow Windows to overwrite the log files. Adiscon’s recommendation is not in contrast to the CERT advisory as the event log monitor takes care of the events before they can be overwritten. And, once to repeat, not allowing to overwrite logs can lead to lost log entries, even is a large amount of log space is set aside. A malicious user might first generate a massive amount of log data before the actual attack is carried out.