Active Directory: Logs


I am trying to estimate the size of all eventlogs on all 2008r2 domain controllers. For instance what would be the log size per day, use the time difference between first event and last event, and extrapolate it to 24 hours to figure out an approx. size. Is there a tool or script that you can share that would get me this report.

Thanks very much for any assistance you can provide.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
You need 3rd party tool to archive the logs. By default, your logs will overwritten. Check logs settings, what size you have set. On DC logs might overwritten pretty fast. If example. you set 16 MB logs size and it get overwritten in 2 hours, then you know the maths.
Parity123Author Commented:
I know that it is going to overwritten, I am trying to get the eventlog sizes  For instance: if the time difference between the first event and the last event is 2 hours, I need to get the current event log size and multiply it by 12 to estimate the log size per day. This is just a scientific way of estimating, it may not be the exact, but will give us some idea. I want to be able to project how much data gets collected over a day on all the domain controllers.
Will SzymkowskiSenior Solution ArchitectCommented:
This is really something that you will have to monitor on an ongoing basis. Logs can vary at any time for any reason. Different Logs can accumulate faster than others i.e Security Logs. Depending on how and what you current configuration is will determine how big your logs will get.

Leaving the default 16MB for Security Logs IMO is too small. You should be setting Logs specifiically on a DC to no less than 1GB for Security and 500MB for App and Server Logs.

So depending on if you have AD Auditing enabled on your domain controllers will also give you a good indication if you logs will overwrite faster. Have AD logging enabled for all events your logs will overwrite very quickly with the default settings.

@ Amit - you do not necessarily have to purchase a 3rd party product to archive the logs. You can use Windows Event Subscriptions which comes as a feature with Windows Server 2008 and up. This will allow you to move/copy your logs to a "Logging Server"

So really this is something that you will have to monitor and it can change on any given day based on the activity on your domain.

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Parity123Author Commented:
@Will - I realize what you are saying. I have been asked to provide a ballpark figure to estimate the storage/license cost for something we are trying to acquire.
Will SzymkowskiSenior Solution ArchitectCommented:
Well like i said originally, you would be the best person to figure that out because it would be based on your environemnt configuration. Auditing AD is going to make your Security Logs grow substaintually. The logs will increase or decrease in size based on the activity.

AFAIK there is no software out there specifically for this. However if you are looking at this from a storage perspective logs are not vary large at all and they can be compressed very well so i do not think storage should be an issue here. Not sure where licensing fits in to this.

However best advice is just to monitor your logs for a couple days and see what the trending is. Like i said you can use Windows Event Subscriptions to pull the logs from the DC's to another member server so that you can analzye them easier.

Muhammad BurhanManager I.T.Commented:
you can easily calculate it manually.
copy them from another location daily and compare them for average.
Parity123Author Commented:
We have 300+ domain controllers, and the size of logs is very important to negotiate licensing for a third party product to store event logs.
AmitIT ArchitectCommented:
Which 3rd party tool you are negotiating?
Will SzymkowskiSenior Solution ArchitectCommented:
What product are you looking at?

I use Lepide Active Directory Auditor and I have also used ManageEngine and they are not based on log volume it is based on the number of domain controllers you want to collect logs from.

I would check the purchasing/licensing requirements again as this might be the case depending on what 3rd party product you are using to collect the logs.

As i stated before (this will be the 3rd time) you can grab the logs  using Windows Event Subscriptions to copy the logs and analyze them on a nother server. Once you have determined the Trending that will give you a better estimate.

However i do not think it would be based off of the logs storage amount. If it is the case and your statment is correct then I would be inclided to use Active Directory Auditor by Lepide as it is per DC license not on log volume.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AmitIT ArchitectCommented:
I agree to Will.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.