<div>
You shouldn't log anything - maybe it would be better to revise what is being logged.
</div>


<div>
Is the security log set it's maximum (4 GB)?<br />
<a href="https://technet.microsoft.com/en-us/library/cc938399.aspx?f=255&MSPPError=-2147217396" rel="ugc">https://technet.microsoft.com/en-us/library/cc938399.aspx?f=255&MSPPError=-2147217396</a><br />
<br />
Could write a power script to handle your requirements.<br />
<br />
Have you thought about a log collection and alerting tool such as splunk?
</div>


<div>
Not sure that I understand. Why wouldn't we want to log anything? We use the default security log on the domain controller for trouble shooting bad password attempts. Usually I can track where the password attempts are coming from (radius server, exchange server, ect) to let the user know they need to updated a password in specific location.
</div>


<div>
How to Trace the Source of a Bad Password and Account Lockout in AD:<br />
<a href="http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/" rel="ugc">http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/</a><br />
<br />
How to track and troubleshoot User Account Lockouts:<br />
<a href="https://www.lepide.com/how-to/track-and-troubleshoot-user-account-lockouts-with-lepideauditor.html" rel="ugc">https://www.lepide.com/how-to/track-and-troubleshoot-user-account-lockouts-with-lepideauditor.html</a>
</div>


<div>
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.<br />
<br />
I have recommended this question be closed as follows:<br />
<br />
Accept: McKnife (<a href="https:#a42455622" rel="ugc">https:#a42455622</a>)<br />
<br />
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.<br />
<br />
seth2740<br />
Experts-Exchange Cleanup Volunteer
</div>


<div>
<div class="content wysiwyg-content">
As our company is getting larger we are having an issue with security event logs running over the size limit quickly. I was wondering if there is a way to filter the log for the bad password event ID and save the last 5MB of the filtered events. I found the create custom log, but it only seems to create a preselected filter for the existing events.
</div>
</div>


As our company is getting larger we are having an issue with security event logs running over the size limit quickly. I was wondering if there is a way to filter the log for the bad password event ID and save the last 5MB of the filtered events. I found the create custom log, but it only seems to create a preselected filter for the existing events.

Filtering windows event logs

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

Windows OS

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.