• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 83
  • Last Modified:

Filtering windows event logs

As our company is getting larger we are having an issue with security event logs running over the size limit quickly. I was wondering if there is a way to filter the log for the bad password event ID and save the last 5MB of the filtered events. I found the create custom log, but it only seems to create a preselected filter for the existing events.
Adam Chaney
Adam Chaney
1 Solution
You shouldn't log anything - maybe it would be better to revise what is being logged.
Is the security log set it's maximum (4 GB)?

Could write a power script to handle your requirements.

Have you thought about a log collection and alerting tool such as splunk?
Adam ChaneyAuthor Commented:
Not sure that I understand. Why wouldn't we want to log anything? We use the default security log on the domain controller for trouble shooting bad password attempts. Usually I can track where the password attempts are coming from (radius server, exchange server, ect) to let the user know they need to updated a password in specific location.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

You could do a lot with powershell or batch (batch: wevtutil.exe).
What I'd really recommend is to setup event based triggers and have your DC mail you when accounts are getting locked. Is that an option for you?
Naveen SharmaCommented:
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: McKnife (https:#a42455622)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now