retaining security logs...Is this right? suggestions?
Posted on 2009-05-12
I have a customer who is trying to save 3 months worth of security logs (auditing enabled) online for a server. Windows 2003 Standard R2 SP2 32bit (VM). The log file will not be large enough to hold this amount. I am looking for a CHEAP and easy way to give the customer what they want. I am looking for ideas on how I can go about doing this. Just doing some brainstorming here, but could I just create a script to copy the security event log file over to the other local drive (also including a timestamp in the filename of the copied file)? ...And if by doing that, I would like to also create something in the script that checks for and deletes old security logs (older than 3 months).
A couple problems/things to know:
-my current log size to hold 1-2 days worth of logs is about 200MB. So each time I copy the file, it's another 200MB added to the archive location (let's say on the D: drive). Is this the best way?
-I can't install any extra software on this server...I need to use existing built in functionality.
-I am not a scripter...by any means, so please be detailed in your responses.
Please, if you have any other suggestions, enlighten me. This was just my 1st thought of how to give them 3 months worth of online logs to look at when the log file will not hold that amount on its own.
Server - Windows Server 2003 R2 SP2 x86
Security log location - is default
log size - is set for max size of 204800 kb
log behavior when max size is reached - overwrite events as needed
free space - 20GB to work with
Thanks in advance for any help you all can provide!