Recently, I have received a request to turn on the function of auditing the folders on a Windows Server 2003. This request can be quite challenging if anyone were to try to keep their security log file (Part of event log). Why?
1. This server is a file and print server and once the audit object access function is turned on and the folders is configured to audit anyone who create and delete any folders\files, the amount of logs generate will be huge and will be very fast. (Approx 100MB per 15mins when users are accessing the folders)
2. Usual configuration of Security Log is overwrite as needed. If not, once the log is full, nothing will be log till someone manually clear it. Worse, once log is full, one may not be able to login to the server. (Need to find a way to archive the security log automatically)
Based on the above request, I have to plan on how to archive the security log automatically and store them for audit purposes.
Summary of plan
1. Configure Windows Server 2003 to auto archive the security log
2. Move the archived log files from C drive to another location every 15mins through schedule task
3. Compress the archived log files at the end of the day through schedule task
Chapter 1 – How to configure Windows Server 2003 to auto archive the security log
Chapter 1.1 – For server that is managed through domain GPO
1. Create another OU under the existing one where the server is;
2. Move the server under the new OU. Example shown below:
3. Next is to create a GPO object like – “EnableObjectAccessAudit” to turn on the . What you require to configure is shown below:
NOTE: For my side, Success and Failure is set as user really want everything. If possible, Success is enough. Retention method must be set to Manually. If not, the security will keep overwrite itself and most important, the later part of the configuration will not work!
4. Under registry, go under HKLM > SYSTEM > CURRENTCONTROLSET > SERVICES > EVENTLOG > SECURITY
Set “AutoBackupLogFiles” to “1”
Make sure “Retention” is “0xffffffff” (This is a MUST for auto backup log files feature to work)
Chapter 1.2 – For standalone Server
1. Under Administrative Tools, Local Security Policy > Local Policy > Audit Policy, configure “Audit Object Access” accordingly – Success or Failure.
2 (Same a above) Under registry, go under HKLM > SYSTEM > CURRENTCONTROLSET > SERVICES > EVENTLOG > SECURITY
Set “AutoBackupLogFiles” to “1”
Make sure “Retention” is “0xffffffff” (This is a MUST for auto backup log files feature to work)
Once the setting is working, you will be able to see security log files auto archive under C:\Windows\System32\config folder.
The name of the files are as following format – archive-security-2009-05-27-XX-XX-XX-XXX.evt
WARNING – once you have configure this, you have execute the next configure to move the files to another location. If not, it will flood your drive C very fast…
Chapter 2 – Moving the auto archived file out from drive C to another location
Using commandline, moving of the files are done
MOVE “%windir%\SYSTEM32\CONFIG\Archive*.evt <Destination>
To auto run the commandline every 15mins, you can create a batch file with the above command and configure as a schedule task that will run every 15mins.
Chapter 3 – Compress the files and other process
The archived security log files are huge! Every file for me is 100MB as I configured my log to be 100MB (Max). Every Day, there will average 100 over files created… (10GB!) Therefore, after moving the files to another location, my advise is to compress them. The files are text file and once compressed, 100MB will become only 4MB or less.
Under my case, I am using 7zip to perform the task through command line.
7za a COMPRESS_EVENTLOG.zip *.evt
The next command line is to delete the RAW log file after the above command is executed. If not, spaces on server will still be used up!
del /F /Q *.evt
Something additional, I used an utility to help me to add the date as part of the filename of the compressed file. 🙂
The tools is – “namedate”
Command line
namedate /K /Y E:\Compress_Eventlog.zip
To automate the compress, delete and rename of file stage, I create another batch file and place the above commands into it. Next, I create a schedule task to run the batch file every night. 🙂 Around 11pm would be good.
Configuration Done!
But you will need to monitor for one day to see if the log file will still overflow, if so, you need to move the files out from C drive every 2 to 3mins?
For my side, I will only keep the logs for a month. After a month, I will delete off those log files. But for audit purposes, you may want to backup under some external media to store them offline.
Recommendation – If you are unsure on what you are doing, please try it on a Virtual Machine first before you do it on your production server especially when coming to configuration of registry keys on a server. 🙂
Tan Chee's Space of IT 
You have a good archive of stuff here. You really should tag your work to make it easier to index your material. I just happened to stumble on your stuff due to WP links. I’d bet you’d get a lot more readers and hits.
I like the way you addressed this particular problem. The methods you use here can be recycled in other logging applications.
Thanks for sharing!
-ian
Hi~ Thanks for your comment! I am still trying to adjust myself to WordPress.
Yes. you are right. Most important is one can get the concept right. This method can be use in many other areas. 🙂
This was very useful, thank you.
The Yellow text commands force me to highlight the page to be able to read it. It made it more frustrating than it needed to be.
This is a great method – I would add that for 2008+ boxes the event log path is different (\winevt\logs), also that it is safest to configure and test the batch file that moves the archived logs over, zips them and deletes them *before* configuring the event logs, policies and setting the auditing permissions, otherwise disk space can run out if you set the policy, the auditing perms, and then event log archiving and then get interrupted with another, (seemingly) more urgent matter before configuring the archive copying portion of the process – and then run out of space on a server if it fills the log faster than expected (5GB in less than 1 hour in my case)
hello!,I love your writing very much! share we keep in touch more approximately your post on AOL? I need an expert on this space to unravel my problem. May be that’s you! Taking a look forward to look you.
On my display, there are some letters that are yellow- almost impossible to read. I got around this by highlighting the row; thus making them visible. Can you please change the formatting to maby black bold, or a dark red?
This really is the 2nd blog post, of your website I personally
checked out. Still I personally like this one, “How to configure Windows Server 2003
to auto archive Security Log and not flooding your system drive!
| Tan Chee’s Space of IT” the very best. Thanks -Charissa
Tha’s what i’m looking for, thank you for the post.