• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 83
  • Last Modified:

Filtering windows event logs

As our company is getting larger we are having an issue with security event logs running over the size limit quickly. I was wondering if there is a way to filter the log for the bad password event ID and save the last 5MB of the filtered events. I found the create custom log, but it only seems to create a preselected filter for the existing events.
0
Adam Chaney
Asked:
Adam Chaney
1 Solution
 
McKnifeCommented:
You shouldn't log anything - maybe it would be better to revise what is being logged.
0
 
65tdRetiredCommented:
Is the security log set it's maximum (4 GB)?
https://technet.microsoft.com/en-us/library/cc938399.aspx?f=255&MSPPError=-2147217396

Could write a power script to handle your requirements.

Have you thought about a log collection and alerting tool such as splunk?
0
 
Adam ChaneyAuthor Commented:
Not sure that I understand. Why wouldn't we want to log anything? We use the default security log on the domain controller for trouble shooting bad password attempts. Usually I can track where the password attempts are coming from (radius server, exchange server, ect) to let the user know they need to updated a password in specific location.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
McKnifeCommented:
You could do a lot with powershell or batch (batch: wevtutil.exe).
What I'd really recommend is to setup event based triggers and have your DC mail you when accounts are getting locked. Is that an option for you?
0
 
Naveen SharmaCommented:
0
 
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: McKnife (https:#a42455622)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now