Monday, April 18, 2005

Maximum size of Windows event logs

I stumbled across something recently that is of interest to anyone setting event log sizes. Actually, I was referred here by Alex N.; thanks Alex!

If you follow any sort of "guidance" from the DISA, NSA or other government agencies on setting event log sizes to file sizes of 1GB up to 4GB!!! This is a very bad thing. It boils down to the EVENTLOG.DLL runs as part of the SERVICES.EXE process. No single process can have more than 1GB of memory-mapped files. SERVICES.EXE runs other components and all of the components have to play nicely in that 1GB of memory space.

In some circumstances, events that SHOULD have been logged will NOT be logged. No errors will be logged or displayed, either.

Microsoft recommends in the Event Log Policy Settings document that the combined size of these files be no more than 300MB. For regular servers, that means the combined size of the System, Security, and Application logs. For domain controllers, don't forget to take in to consideration the DNS, File Replication Service, and Directory Service event logs.

I recommend the following event log sizes:
System: 49,152MB
Application: 49,152MB
Security: 196,608MB

Usually, the DNS, File Replication Service, and Directory Service logs don't need to be more than a few MB each.

This will be fixed in a future version of Windows, but probably not in a service pack. This issue affects all versions of Windows up through Windows 2003 and will require an overhaul of the event logging system. More technical details can be found on Microsoft TechNet.

0 Comments:

Post a Comment

<< Home