Recommended settings for event log sizes for Windows XP

windows-event-logwindows-xp

Microsoft has posted the recommended settings for event log sizes in Windows Server 2003 and in Windows Server 2008 (link), but I was wondering if anyone knew if there was something somewhere which posted the same information for Windows XP. Most importantly the Recommended maximum total size for all each log and all logs

Best Answer

It would appear that Microsoft themselves do not specify the recommended event log sizes for Windows XP (unlike the article you linked to for Windows Server 2003/2008).

Despite this, there is some information out there from other large organizations, that offers default sizes and recommended size settings:

The Computer Security Resource Centre at NIST, in its publication entitled, "Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist" states:

For the Application log, the maximum size should be set to 16384 kilobtes. For the Security log, the maximum size should be set to 81920 kilobytes. For the System log, the maximum size should be set to 16384 kilobytes.

The NSA document, "Windows XP Security Guide" states:

Table 3.18
Event Log Security Setting  
Recommendations Setting EC desktop  EC laptop   SSLF desktop    SSLF laptop  
Maximum appl. log size   16384 KB    16384 KB    16384 KB        16384 KB  
Maximum security log size  81920 KB 81920 KB    81920 KB        81920 KB  
Maximum system log size 16384 KB    16384 KB    16384 KB        16384 KB

(where EC = Enterprise Client & SSLF = Specialized Security - Limited Functionality)

And finally, the DISA publication, "Windows XP Security Checklist" states:

If any of the following conditions are true, then this is a finding:

If the value for “Maximum application log size” is not set to a minimum of “16384 kilobytes”, then this is a finding.

If the value for “Maximum security log size” is not set to a minimum of “81920 kilobytes”, then this is a finding.

If the value for “Maximum system log size” is not set to a minimum of “16384 kilobytes”, then this is a finding.

Of course, the default sizes of 512kb for each event log, as configured by Windows XP itself upon installation, could be considered the "default" sizes.

Some other links that may be useful:

Microsoft Windows XP Power Productivity Book (on Google Books)
Group Policy Settings - Security Settings - Event Log
Fixing "The Event Log is Full" Error on Windows XP

Related Solutions

Security Event Log: User field = N/A

Not every event in the Security event log is associated with a user. For instance, the system time changing due to DST will generate an event in the Security event log, but the event is not associated with a user. What Event ID's are you looking at specifically?

Windows – Relocating event logs in Windows Server 2008 R2

You can do this from the GUI or command line.

Start the Server Manager Diagnostics
Event Viewer
Windows Logs
Right click the event log of your choosing
Change the “Log Path” variable to an existing dir / file name

The registry key that sets the value is HKLM\SYSTEM\ControlSet001\Services\eventlog\$LogName

You can modify it as well by using the following commands (modify to fit your environment)

reg add “HKLM\SYSTEM\CurrentControlSet\Services\eventlog\Application” /f /v File /t REG_SZ /d 
   G:\Logs\Application.evtx

reg add ”HKLM\SYSTEM\CurrentControlSet\Services\eventlog\Application”/f /v Flags /t REG_DWORD 
  /d 0x00000001

Source : Change Log file location in Windows Server 2008 R2 via registry

Best Answer

Related Solutions

Security Event Log: User field = N/A

Windows – Relocating event logs in Windows Server 2008 R2

Related Topic