Server 2012 R2 domain controllers and log files

we have someone installing a fortigate device for content filtering.  he is asking me to turn on success logging in my domain controllers.  this leads me to ask several questions:

1.  Do I turn on success logging for both the default domain policy AND the default domain controller policy or just one?

2.  Isn't that a crap load of extra logging?  

3.  What is considered too big for logging file sizes?  Mine are already 4 gigs and they are over writing multiple times a day.  I don't want to grow the log too big and 4gigs for a text logging file seems massive.  What are my limits?  What are some good rules of thumb for DC logging file sizes?

4.  What else do I need to know here?

Basically, for content filtering on the internet, I have never seen an appliance require this and I'm hesitant to log this as we have over 600 users in the domain.  I don't want my security logs to be 4gigs and I don't want my DC logging the crap out of everything just because this deivce sucks and can't do it's job correctly.



Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This really all depends on what you want to audit. If you want to specifically audit AD access/changes/login etc then you need to enable this on the default domain controller policy. I have ceated a HowTo on my site to accomplish this.

I have all of the required steps also with post best practices once it is enabled.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
crp0499CEOAuthor Commented:
I think my point is I was asked to turn on success auditing for user and computer logon accounts.  as a result, my log file is 4 gigs.  That seems crazy to me.  it's over writing more than once per day so less than one days of log files doesn't help me.

can I bump it to 16 gigs?  that just seems crazy to even ask.
Will SzymkowskiSenior Solution ArchitectCommented:
I cannot find any "microsoft" documentation stating recommendations of Security Log File size, however I have over 30,000 users in the AD environment that i manage and each of my DC's have a security log of 1GB. I do my log collections to my logging server every 5 minutes.

I would not recommend that you increase this log size rather increase the amount of time that your logging server fetches the security log data.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.