A small, nearly hidden feature of the Event Viewer by Microsoft is the ability to autoarchive the logs. Of course, one of the most important Event Viewer logs is the security log. For years, we have had to develop solutions or acquire software to help archive the security log when it fills up; but now, that is no longer necessary.
First, you can enable autoarchiving by accessing the properties of the security log, which is shown in Figure 1.
Figure 1. Security log can be autoarchived when full.
You also have settings within Group Policy, which give you even more control over the security log and how it is archived. If you access a Group Policy Object (GPO) path of Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security, you can see these policies. You can see this path in Figure 2.
Figure 2. Security log settings in Group Policy.
The ideal configuration is to Enable “Retain old events” and also Enable “Backup log automatically when full”. This will create a file for each full log, creating a new log for new events. A final configuration, if you want to control where the archived logs are stored, is to configure the Log File Path policy.
Learn more | Download for free.
Of course, accessing these files is a completely different story! This is where you would want to obtain some tool to help you import, view, and analyze the archived logs. You can do this with Event Viewer, but this is a manual process of importing each archived log file individually.
Ideally, you would want to get a tool like ADAudit Plus from ManageEngine. This tool provides the perfect solution to dealing with issues of archived logs. ADAudit Plus now does real-time security log collection, from every domain controller in your domain. ADAudit Plus also provides the ideal reporting and analysis solution. You can read more about the real-time auditing of ADAudit Plus here