Redirecting security logs to net storage - Windows 2008 R2 Enterprise
-
Monday, February 27, 2012 5:25 PMWe keep all of our security logs from our DC's and as you would expect, they kill the disk space. Currently we set the logs to auto archive at 300Mb and I move them manually to a netshare. I have tried changing the path for the logs in event properties as well as the registry and tried using a mapped path as well as the full path name, does not work. I also stopped the event service, moved the Security.evtx log to the new location and restarted the machine, it continues to place the logs in the default location. Is it not possible to redirect the sec logs to a netshare? Am working with a Microsoft tech and he sent me some info that Windows 2003 cannot move them to a netshare. Any idea if 2008 R2 is the same?
All Replies
-
Tuesday, February 28, 2012 6:58 AMModerator
Hello,
Firstly, it is NOT recommended to modify the location where event logs are stored no matter it’s Server 2003 or Server 2008. It is because if you do so, you are likely to encounter some permission problems.
Secondly, please note that Windows uses a specific system account to write logs rather than the Administrator account or any other accounts you created. This specific account surely does not have permission to access the network shared folder. I am saying this because if you right click the C:\Windows\System32\winevt\LOGS folder and go to Properties – Security, you will see the account named “EVENTLOG”.
Mostly, administrators just manually copy the logs to another location when it’s full.
Thanks
ZHANG
- Marked As Answer by Cheers ZHANGMicrosoft Contingent Staff, Moderator Thursday, March 01, 2012 2:04 AM
-
Tuesday, February 28, 2012 7:12 AMModerator
Agree with Zhang.
You might want to try Event Forwarding and Subscriptions.
Here are some of the articles which you can refer.
Quick and Dirty Large Scale Eventing for Windows
Configure Computers to Forward and Collect Events
http://technet.microsoft.com/en-us/library/cc748890.aspx
Windows Event Collector
http://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx
Most of the downtime's are caused because of SysAdmin's curiosity ! - Santosh
- Marked As Answer by Cheers ZHANGMicrosoft Contingent Staff, Moderator Thursday, March 01, 2012 2:04 AM
.png)
