Active Directory: Logs

Parity123
Parity123 used Ask the Experts™
on
Hello,

I am trying to estimate the size of all eventlogs on all 2008r2 domain controllers. For instance what would be the log size per day, use the time difference between first event and last event, and extrapolate it to 24 hours to figure out an approx. size. Is there a tool or script that you can share that would get me this report.

Thanks very much for any assistance you can provide.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AmitIT Architect
Distinguished Expert 2017

Commented:
You need 3rd party tool to archive the logs. By default, your logs will overwritten. Check logs settings, what size you have set. On DC logs might overwritten pretty fast. If example. you set 16 MB logs size and it get overwritten in 2 hours, then you know the maths.

Author

Commented:
I know that it is going to overwritten, I am trying to get the eventlog sizes  For instance: if the time difference between the first event and the last event is 2 hours, I need to get the current event log size and multiply it by 12 to estimate the log size per day. This is just a scientific way of estimating, it may not be the exact, but will give us some idea. I want to be able to project how much data gets collected over a day on all the domain controllers.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
This is really something that you will have to monitor on an ongoing basis. Logs can vary at any time for any reason. Different Logs can accumulate faster than others i.e Security Logs. Depending on how and what you current configuration is will determine how big your logs will get.

Leaving the default 16MB for Security Logs IMO is too small. You should be setting Logs specifiically on a DC to no less than 1GB for Security and 500MB for App and Server Logs.

So depending on if you have AD Auditing enabled on your domain controllers will also give you a good indication if you logs will overwrite faster. Have AD logging enabled for all events your logs will overwrite very quickly with the default settings.

@ Amit - you do not necessarily have to purchase a 3rd party product to archive the logs. You can use Windows Event Subscriptions which comes as a feature with Windows Server 2008 and up. This will allow you to move/copy your logs to a "Logging Server"

So really this is something that you will have to monitor and it can change on any given day based on the activity on your domain.

Will.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
@Will - I realize what you are saying. I have been asked to provide a ballpark figure to estimate the storage/license cost for something we are trying to acquire.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Well like i said originally, you would be the best person to figure that out because it would be based on your environemnt configuration. Auditing AD is going to make your Security Logs grow substaintually. The logs will increase or decrease in size based on the activity.

AFAIK there is no software out there specifically for this. However if you are looking at this from a storage perspective logs are not vary large at all and they can be compressed very well so i do not think storage should be an issue here. Not sure where licensing fits in to this.

However best advice is just to monitor your logs for a couple days and see what the trending is. Like i said you can use Windows Event Subscriptions to pull the logs from the DC's to another member server so that you can analzye them easier.

Will.
Muhammad BurhanManager I.T.
Top Expert 2015

Commented:
you can easily calculate it manually.
copy them from another location daily and compare them for average.
1.jpg

Author

Commented:
We have 300+ domain controllers, and the size of logs is very important to negotiate licensing for a third party product to store event logs.
AmitIT Architect
Distinguished Expert 2017

Commented:
Which 3rd party tool you are negotiating?
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
What product are you looking at?

I use Lepide Active Directory Auditor and I have also used ManageEngine and they are not based on log volume it is based on the number of domain controllers you want to collect logs from.

I would check the purchasing/licensing requirements again as this might be the case depending on what 3rd party product you are using to collect the logs.

As i stated before (this will be the 3rd time) you can grab the logs  using Windows Event Subscriptions to copy the logs and analyze them on a nother server. Once you have determined the Trending that will give you a better estimate.

However i do not think it would be based off of the logs storage amount. If it is the case and your statment is correct then I would be inclided to use Active Directory Auditor by Lepide as it is per DC license not on log volume.

Will.
AmitIT Architect
Distinguished Expert 2017

Commented:
I agree to Will.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial