A post yesterday on ActiveDir.org reminded me of something I learnt recently about event logging and, in particular, how certain Group Policy settings can cause problems and inconsistencies. The customer I was working with had implemented an entry in the Default Domain Controllers Policy to set the value for the Maximum security log size to 4194240 KB (4GB). This is the largest value that can be set. I was assisting with investigating a security incident and we were surprised to find that the security event logs on the DCs did not contain the audit entry we were looking for. Events were being overwritten after approximately 3 days. I figured this was unusual given that the security event log size had been configured to 4GB. That's when I got a surprise - the size of the security event logs on the DCs was on average about 380MB. In other words, considerably smaller than the 4B configured by Group Policy.
At first I thought the issue must be with Group Policy not applying, so I did some troubleshooting around that. That turned out to be a blind alley as everything seemed to be applying successfully. I then spent some time with my good friend Mr. Google and eventually we found the answer. The issue has to do with the event log service using memory mapped files. There is apparently an architectural limitation common to all current versions of Windows with regard to memory-mapped files. No process can have more than 1GB of memory-mapped files in total, which means that all of the services that run under the services.exe process must share the 1GB pool. This implies that not only can the Maximum security log size not get anywhere near the 4GB mark, but that all event logs need to come in well under the 1GB limit to allow room for the other memory mapped services.
The recommendations for setting the event log sizes are made in the following two Microsoft web pages:
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch06n.mspx
http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e5e-514173bf15e31033.mspx?mfr=true
The most relevant quote for me from these articles was this:
"On domain controllers, the combined size of these three logs — plus the Directory Service, File Replication Service, and DNS Server logs — should not exceed 300 MB."
Note that on my customer's DCs the security event log by itself was on average about 380MB, which was clearly in the red zone and didn't leave much left for the other memory mapped services.
Well, the bottom line is that I re-configred the Group Policy for my customer to a much more sensible maximum, so the end result was positive. On the downside, I still feel bemused that Group Policy actually allows the limit to be set to 4GB for an individual log. Surely, this makes no sense given the recommendation around 300MB, especially as this information is not easy to find. As an example, Windows Server 2003 SP1 includes a modification in gpedit.msc (the Group Policy editor) that, when configuring the Maximum security log size, shows a warning and a pointer (see screenshot above) to a KB article (823659). Sounds good doesn't it - this article will give us the information about how to conigure the appropriate maximum sizes, right? Well, no - actually the article is generally unnecessarily wordy and, in relation to the security event log settings, only mentions the 4GB maximum and a health warning about using the Shut down system immediately if unable to log security audits setting. Mmm.
Tony
www.activedir.org
Join the Active Direcotry Discussions mailing list: http://www.activedir.org/List.aspx