Link to home
Avatar of Parity123
Parity123Flag for United States of America

asked on

Active Directory: Logs


I am trying to estimate the size of all eventlogs on all 2008r2 domain controllers. For instance what would be the log size per day, use the time difference between first event and last event, and extrapolate it to 24 hours to figure out an approx. size. Is there a tool or script that you can share that would get me this report.

Thanks very much for any assistance you can provide.
Avatar of Amit
Flag of India image

You need 3rd party tool to archive the logs. By default, your logs will overwritten. Check logs settings, what size you have set. On DC logs might overwritten pretty fast. If example. you set 16 MB logs size and it get overwritten in 2 hours, then you know the maths.
Avatar of Parity123


I know that it is going to overwritten, I am trying to get the eventlog sizes  For instance: if the time difference between the first event and the last event is 2 hours, I need to get the current event log size and multiply it by 12 to estimate the log size per day. This is just a scientific way of estimating, it may not be the exact, but will give us some idea. I want to be able to project how much data gets collected over a day on all the domain controllers.
This is really something that you will have to monitor on an ongoing basis. Logs can vary at any time for any reason. Different Logs can accumulate faster than others i.e Security Logs. Depending on how and what you current configuration is will determine how big your logs will get.

Leaving the default 16MB for Security Logs IMO is too small. You should be setting Logs specifiically on a DC to no less than 1GB for Security and 500MB for App and Server Logs.

So depending on if you have AD Auditing enabled on your domain controllers will also give you a good indication if you logs will overwrite faster. Have AD logging enabled for all events your logs will overwrite very quickly with the default settings.

@ Amit - you do not necessarily have to purchase a 3rd party product to archive the logs. You can use Windows Event Subscriptions which comes as a feature with Windows Server 2008 and up. This will allow you to move/copy your logs to a "Logging Server"

So really this is something that you will have to monitor and it can change on any given day based on the activity on your domain.

@Will - I realize what you are saying. I have been asked to provide a ballpark figure to estimate the storage/license cost for something we are trying to acquire.
Well like i said originally, you would be the best person to figure that out because it would be based on your environemnt configuration. Auditing AD is going to make your Security Logs grow substaintually. The logs will increase or decrease in size based on the activity.

AFAIK there is no software out there specifically for this. However if you are looking at this from a storage perspective logs are not vary large at all and they can be compressed very well so i do not think storage should be an issue here. Not sure where licensing fits in to this.

However best advice is just to monitor your logs for a couple days and see what the trending is. Like i said you can use Windows Event Subscriptions to pull the logs from the DC's to another member server so that you can analzye them easier.

you can easily calculate it manually.
copy them from another location daily and compare them for average.
We have 300+ domain controllers, and the size of logs is very important to negotiate licensing for a third party product to store event logs.
Which 3rd party tool you are negotiating?
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
I agree to Will.