Configuring Maximum Security Log Size

Setting the maximum log size for event logs is crucial for your security policy. Proper configuration helps detect attacks and investigate their sources. Insufficient storage can result in information loss and undetected breaches. This article covers everything you need to know about configuring maximum security log size.

Server hardening can be labor-intensive and costly, often causing production issues. CSH by CalCom automates server hardening, learning your network to eliminate lab testing and ensure zero production outages. Get in touch to implement your policy directly in production hassle-free.

Policy Description

This policy requires Windows Vista or later versions of Windows. This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

If you disable maximum security log size or do not configure this policy setting, the maximum size of the log file maximum size will be set to the local configuration value. This value can be changed by the local administrator using the log properties dialog and it defaults to 20 megabytes. For backward compatibility, the same setting can also be configured at Computer Configuration\Windows Settings\Security Settings\Event Log, if set at both locations this one will take precedence.

Potential Vulnerability

If you significantly increase the number of objects to audit in your organization, there is a risk that the Security log will reach its capacity and force the computer to shut down if you enabled the Audit: Shut down system immediately if unable to log security audits setting. If such a shutdown occurs, the computer will be unusable until an administrator clears the Security log. To prevent such a shutdown, you can disable the Audit: Shut down system immediately if unable to log security audits setting that is described in Chapter 5, “Security Options,” and increase the Security log size. Alternatively, you can configure automatic log rotation.

You should enable sensible log size policies for all computers in your organization so that legitimate users can be held accountable for their actions, an unauthorized activity can be detected and tracked, and computer problems can be detected and diagnosed.

Potential impact of configuration

When event logs reach capacity, they will stop recording information unless the retention method is set to overwrite the oldest entries with the most recent ones.

The severity of this configuration is critical; however, the consequence is that older events will be removed from the logs. Attackers can exploit this by generating a large number of extraneous events to overwrite any evidence of their attack. These risks can be reduced by automating the archival and backup of event log data.

Ideally, all specifically monitored events should be sent to a server that uses an automated monitoring tool. This configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, you will be able to gather forensic information about the attacker’s activities.

CIS Benchmarks – What are They and How to Use Them

How to configure maximum security log size

1. Log in to the computer using a user account with domain administrator privileges.
2. Open a command prompt, type gpmc.msc and press Enter to start the Group Policy Management Console.
3. Expand Forest > Domains > domainName > Domain Controllers.
4. Right-click Default Domain Controllers Policy, and then click Edit.
5. Expand Computer configuration > Policies > Windows Settings > Security Settings.
6. Select Event Log and configure Maximum security log size to a size of no less than 196608 KB.
7. Configure Retention method for security log to Overwrite events as needed.
8. Return to the command prompt, type gpUpdate, and then press Enter.

To verify this configuration and ensure Active Directory events are not discarded before processing:

1. Open a command prompt as an administrator.
2. At the command line, type eventvwr to start the Event Viewer.
3. In Windows logs, right-click Security, and select Properties.
4. Verify the settings reflect a maximum log size of no less than 196608 KB, and the selection to Overwrite events as needed.