Article created 2003-05-12 by
Configuring Windows for the Event Log Monitor
The event log monitor service pulls events from the Windows event logs. In
Windows' default setup, the information contained in the logs is sparse and far
from sufficient for security monitoring. If you are solely interested in
checking system health, the default setting can be sufficient. If you are
interested in security monitoring, you definitely need to change some settings
in order to receive a useful result. This will be described in detail later in
No matter what your logging needs are, you need to change the log file
overwrite mode. Windows uses a circular buffer for each event log. Once the log
file maximum size is reached, whenever a new event is written, an old one is
overwritten. This is no problem if the log file size is large enough – and the
default typically is – because the event log monitor retrieves log entries on a
regular basis and forwards them to the configured destination. As such, no
event is lost when an old one is overwritten. However, in default setup,
Windows will stop writing events to the event logs when these logs are
full and events younger than 7 days would be overwritten. Windows indicates
this by placing a respective event into the system log , which of course will
not help us retrieve any of the lost logs.
As such, we highly recommend that the log mode is set to "Overwrite as needed"
instead to "Overwrite after 7 Days". In addition, we recommend extending the
size of the event log files to 10 to 20 MB. This is just a security precaution
– but with today's hard disk sizes it does not really matter if 100 MB or so
are set aside as an additional buffer for unusual high log activity.
Please note that the CERT advises to
increase the log size but also advises not to allow Windows to overwrite the
log files. Adiscon's recommendation is not in contrast to the CERT advisory as
the event log monitor takes care of the events before they can be overwritten.
And, once to repeat, not allowing to overwrite logs can lead to lost log
entries, even is a large amount of log space is set aside. A malicious user
might first generate a massive amount of log data before the actual attack is