How to configure Windows Server 2003 to auto archive Security Log and not flooding your system drive!

Recently, I have received a request to turn on the function of auditing the folders on a Windows Server 2003. This request can be quite challenging if anyone were to try to keep their security log file (Part of event log). Why?
1. This server is a file and print server and once the audit object access function is turned on and the folders is configured to audit anyone who create and delete any folders\files, the amount of logs generate will be huge and will be very fast. (Approx 100MB per 15mins when users are accessing the folders)
2. Usual configuration of Security Log is overwrite as needed. If not, once the log is full, nothing will be log till someone manually clear it. Worse, once log is full, one may not be able to login to the server. (Need to find a way to archive the security log automatically)
Based on the above request, I have to plan on how to archive the security log automatically and store them for audit purposes.
Summary of plan
1. Configure Windows Server 2003 to auto archive the security log
2. Move the archived log files from C drive to another location every 15mins through schedule task
3. Compress the archived log files at the end of the day through schedule task
Chapter 1 – How to configure Windows Server 2003 to auto archive the security log
Chapter 1.1 – For server that is managed through domain GPO
1. Create another OU under the existing one where the server is;
2. Move the server under the new OU. Example shown below:
3. Next is to create a GPO object like – “EnableObjectAccessAudit” to turn on the . What you require to configure is shown below:
NOTE: For my side, Success and Failure is set as user really want everything. If possible, Success is enough. Retention method must be set to Manually. If not, the security will keep overwrite itself and most important, the later part of the configuration will not work!
4. Under registry, go under HKLM > SYSTEM > CURRENTCONTROLSET > SERVICES > EVENTLOG > SECURITY
Set “AutoBackupLogFiles” to “1”
Make sure “Retention” is “0xffffffff” (This is a MUST for auto backup log files feature to work)
Chapter 1.2 – For standalone Server
1. Under Administrative Tools, Local Security Policy > Local Policy > Audit Policy, configure “Audit Object Access” accordingly – Success or Failure.
2 (Same a above) Under registry, go under HKLM > SYSTEM > CURRENTCONTROLSET > SERVICES > EVENTLOG > SECURITY
Set “AutoBackupLogFiles” to “1”
Make sure “Retention” is “0xffffffff” (This is a MUST for auto backup log files feature to work)
Once the setting is working, you will be able to see security log files auto archive under C:\Windows\System32\config folder.
The name of the files are as following format – archive-security-2009-05-27-XX-XX-XX-XXX.evt
WARNING – once you have configure this, you have execute the next configure to move the files to another location. If not, it will flood your drive C very fast…
Chapter 2 – Moving the auto archived file out from drive C to another location
Using commandline, moving of the files are done
MOVE “%windir%\SYSTEM32\CONFIG\Archive*.evt <Destination>
To auto run the commandline every 15mins, you can create a batch file with the above command and configure as a schedule task that will run every 15mins.
Chapter 3 – Compress the files and other process
The archived security log files are huge! Every file for me is 100MB as I configured my log to be 100MB (Max). Every Day, there will average 100 over files created… (10GB!) Therefore, after moving the files to another location, my advise is to compress them. The files are text file and once compressed, 100MB will become only 4MB or less.
Under my case, I am using 7zip to perform the task through command line.
7za a COMPRESS_EVENTLOG.zip *.evt
The next command line is to delete the RAW log file after the above command is executed. If not, spaces on server will still be used up!
del /F /Q *.evt
Something additional, I used an utility to help me to add the date as part of the filename of the compressed file. 🙂
The tools is – “namedate”
Command line
namedate /K /Y E:\Compress_Eventlog.zip
To automate the compress, delete and rename of file stage, I create another batch file and place the above commands into it. Next, I create a schedule task to run the batch file every night. 🙂 Around 11pm would be good.
Configuration Done!
But you will need to monitor for one day to see if the log file will still overflow, if so, you need to move the files out from C drive every 2 to 3mins?
For my side, I will only keep the logs for a month. After a month, I will delete off those log files. But for audit purposes, you may want to backup under some external media to store them offline.
Recommendation – If you are unsure on what you are doing, please try it on a Virtual Machine first before you do it on your production server especially when coming to configuration of registry keys on a server. 🙂
Reference: https://vbzine.wordpress.com/2009/05/28/how-to-configure-windows-server-2003-to-auto-archive-security-log-and-not-flooding-your-system-drive/