However, if you are required to retain those security events, either by law (e.g. HIPAA, SOX, GLB, PCI, etc) or by policy, you need to start budgeting for more storage before you start your Vista and Windows Server 2008™ migrations.
Here are a few examples of how Vista security logs tend to grow much more quickly than their predecessors:
1.) Looking at some of our internal Vista security logs, there are tons of events relating to the blocking or accepting of network data via the Windows Filtering Platform. Some organizations may find this data valuable, especially if the machine is exposed to the public, however others may not.
2.) Some events log extra information at the end of the Description field that serves no other purpose than to further explain the parameters in the Description field. For instance, every 4608 event (Windows is starting up) also tells you that:
"This event is logged when the LSASS.exe starts and the auditing subsystem is initialized."
Similarly, every 4634 event (An account was logged off) feels the need to mention that:
"This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."These are just two brief examples, but note well: your Vista logs will use up more space than your XP and Windows 2000 workstation logs. If you are reassuring yourself now by thinking that you only need to retain server logs, bear in mind that Windows Server 2008 will share Vista's new events and logging tendencies!
Fortunately, the current release (and several prior releases) of our Event Archiver™ software offers you techniques to help you manage your storage of log data. Event Archiver allows you to automatically prune your database tables by date, selectively import only key events or exclude non-key events into database tables with global import filters, and keep your data in multiple compressed formats for storage efficiency. As the number of auditable events increase and expand in size, these features become increasingly important.
2 comments:
The description text, e.g. "This event is logged when...", is static message text and is not stored as part of the event record in the EVTX file.
If your log archiving solution stores just the EVTX file then you're not paying any extra storage costs for the explanatory text of this nature.
However, many (ok most :-) log collection tools have the eventlog service retrieve the event message text, combine it with the event record and store the formatted message. They do this so that the stored event record is human readable, however this increases storage costs significantly.
Eric,
Very good point. So in other words, the "This event is logged when..." is part of the message file framework for the description of the event, which is similar to the way legacy EVT files work.
Fortunately, Event Archiver v7 has the ability to zip compress EVTX files just like EVT files, so the cost becomes even more trivial to maintain the flat files.
Still, I'm glad we have extensive mechanisms for database management and selective table importing in Event Archiver, because when you multiply 100 or more characters of text a million plus times, that really adds up! :)
Post a Comment