Domain Controller Security Event Log settings in GPO

[Mike Leone]

So here's a question. In our DC GPO, we set the "Maximum security log size" to 200M (204880K, specifically) in the Computer>Policies>Windows Settings>Security>Event Log. 

Yet the recommendations I see seem to point to:

Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Specify the maximum log file size (KB)

I have a need to increase that amount (that's barely 1 day's worth of entries apparently, so it's overwriting a lot, and I have no history ..). We do use a central log server (not a DC), and I will increase it there (to like 3G ...). But what would you recommend as the security log size for the actual DC? That way, I'll have more history directly on the DC, and with the central log server, much more history.

Thanks

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Wright, John M]

I imagine it’ll depend on the size of the organization.  We have around 900 users in our domain.  I’ve got the max log size on our DCs set to 2GB, and that captures about 9 days of entries.

 

That said, I don’t have a confident recommendation.  I really don’t know what’s standard practice.  I just wanted to have them retain a little better than a week in case we needed to go back a bit, and without having to pore through VM backups to get the info.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Wednesday, January 3, 2024 3:02 PM
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Domain Controller Security Event Log settings in GPO

 

This message is from an external sender.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Biza4RgsLRFtBffAC17tBsZgLEE3_N-Ht34jSwVdo4QLw%40mail.gmail.com.

[CAUTION] Do not click on links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a malicious email, please forward it the local IT team and click the Report Message button in Outlook.

 

[Wright, John M]

I should have added that I use the stronger among the MS recommendations for auditing.  What auditing policy you use will also affect size and time period captured.  Audit Policy Recommendations | Microsoft Learn

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

[Michael B. Smith]

Looking at Security event logs in situ is horrible and can have a major impact on DC performance. I’d strongly recommend using some tool to search them OFF the DCs.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Wright, John M
Sent: Wednesday, January 3, 2024 3:22 PM
To: ntsys...@googlegroups.com

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/DM6PR12MB4372BAE92DB225D86FE8C5629160A%40DM6PR12MB4372.namprd12.prod.outlook.com.

[Mike Leone]

On Wed, Jan 3, 2024 at 3:25 PM Michael B. Smith <mic...@smithcons.com> wrote:

Looking at Security event logs in situ is horrible and can have a major impact on DC performance. I’d strongly recommend using some tool to search them OFF the DCs.

I have a central log server, and I have all the DCs subscribed. But I am not seeing events 4624 in the forwarded events. I *am* seeing them locally on the DC (as I expected I would). I dunno why they're not forwarding (yet).

The subscription says "last 7 days, Critical,Warning,Error,Info,Verbose.  Event Logs: Application, Security, System, All Event IDs, all users, all computers". 

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
    <Select Path="System">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
  </Query>
</

I thought that would forward everything in the security log (among others) from every DC to the central log server to the "Forwarded Events" log. But it isn't - I see no ID 4624 on the central log server, but do see it on the DC directly.

What concept am I missing, that I'm not getting all the events I need?

I

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/f81f89c086364a16a4d360a1ad25eeaf%40smithcons.com.

[Michael B. Smith]

Don’t make it hard.

 

<QueryList>

  <Query Id="0" Path="Application">

    <Select Path="Application">*</Select>

    <Select Path="Security">*</Select>

    <Select Path="System">*</Select>

  </Query>

</QueryList>

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh82g4Vr7dxR-5rLnA1a7r5JC2_W9k8Yz9MKrm2mGb4XQ%40mail.gmail.com.

[Mike Leone]

On Wed, Jan 3, 2024 at 4:23 PM Michael B. Smith <mic...@smithcons.com> wrote:

Don’t make it hard.

 

<QueryList>

  <Query Id="0" Path="Application">

    <Select Path="Application">*</Select>

    <Select Path="Security">*</Select>

    <Select Path="System">*</Select>

  </Query>

</QueryList>

I didn't make that query, that's what the XML said, based on those selections I made. :-)

I'll try changing that tomorrow, when I get in again.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/0512eab4ba224bd6a9f13630eced692c%40smithcons.com.

[Philip Elder]

Keep in mind that you can scavenge any previous log sets from backup.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/DM6PR12MB4372BAE92DB225D86FE8C5629160A%40DM6PR12MB4372.namprd12.prod.outlook.com.

[Mike Leone]

On Wed, Jan 3, 2024 at 5:00 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

Keep in mind that you can scavenge any previous log sets from backup.

Well, yes and no. Yes, I backup each DC nightly. However, as I noted in earlier, the log size seems insufficient to hold even 1 full day of activity. Meaning that even if I restore a log file itself from a specific day, part of the day's activity will have already been rolled over and lost ... 

Hence why I want to increase the log size on the DC directly, from its current 200M size. 

And then also figure out why the DC is not forwarding all events (such as logon event 4624) to my central log server, which is set for a much higher log size. But that's step 2 ....

So my  original question is:

In our DC GPO, we set the "Maximum security log size" to 200M (204880K, specifically) in the Computer>Policies>Windows Settings>Security>Event Log. 

Yet the recommendations I see seem to point to using this setting instead:

Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Specify the maximum log file size (KB)

So: which should I use - the current config area (just increasing the size), or instead set it in the Adm Template location?

I have a need to increase that amount (that's barely 1 day's worth of entries apparently, so it's overwriting a lot, and I have no history ..). We do use a central log server (not a DC), and I will increase it there (to like 3G ...). 

But what would you recommend as the security log size for the actual DC? That way, I'll have more history directly on the DC, and with the central log server, much more history.

 

Philip Elder MCTS

[Orlebeck, Geoffrey]

I didn’t see it called out specifically, so just checking, have you validated your DCs’ Security logs are actually configured to be 200MB on the DCs themselves? If so, you can probably adjust the existing GPO, then confirm the DCs update. FWIW, there are instances where particular policies are configurable in multiple areas of Group Policy, sometimes due to legacy/granular changes, but the client will apply the correct/relevant configuration, regardless. This may be one of those situations.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bi_CpFTx%2BgO81zdQWphpr%2BVxn%3DHPXw9ZHU3L%3DHE8fqa0Q%40mail.gmail.com.

Confidentiality Notice: This is a transmission from Montage Health. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.

[Philip Elder]

This is a pain as far as the overlap between “new” and “old” areas for what is essentially the same settings. The Windows Firewall has a lot of these issues.

 

So, here’s the thing, if the current “old” area settings are functioning as expected then tweak those. Don’t remove them after setting up the “new” area settings. That’s probably going to lead to grief with no way out but a restore.

 

So, update the current settings.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bi_CpFTx%2BgO81zdQWphpr%2BVxn%3DHPXw9ZHU3L%3DHE8fqa0Q%40mail.gmail.com.

[Matt Stork]

Does it really matter which setting you use if you get the desired result? I’m not aware of a depreciation or recommendation against using either setting.

 

Do you have a test system, any Win version would do, that you can point the GPO settings at to see if they work like you want them to? Heck, set them to different values and let us know which one wins.

-Matt

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone

Sent: Thursday, January 4, 2024 8:27 AM
To: ntsys...@googlegroups.com

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bi_CpFTx%2BgO81zdQWphpr%2BVxn%3DHPXw9ZHU3L%3DHE8fqa0Q%40mail.gmail.com.

[Mike Leone]

Yes, the setting on the DC itself for security log size is the size set in our GPO.

I just double checked, and apparently the current size is good for about 18 hours or so - the earliest entry is 6PM last night, current entry is 2:30PM today (so approx 18 hours).

So I think I will set it from 200M to 400M, that way there will always be at least 24-30 hours in there, until I can figure out why it isn't forwarding events 4624 to the central log server ....

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/DM4PR14MB5718A54FAF7F9EBCBFEE1BB9FF672%40DM4PR14MB5718.namprd14.prod.outlook.com.

[Mike Leone]

On Wed, Jan 3, 2024 at 4:23 PM Michael B. Smith <mic...@smithcons.com> wrote:

Don’t make it hard.

 

<QueryList>

  <Query Id="0" Path="Application">

    <Select Path="Application">*</Select>

    <Select Path="Security">*</Select>

    <Select Path="System">*</Select>

  </Query>

</QueryList>

I will try this.

Have you seen MS's recommended query. Talk about hard!

https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection#bkmk-appendixf

<QueryList>
  <Query Id="0" Path="Security">
    <!-- Network logon events-->
    <Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]="3"]])</Select>
  </Query>
  <Query Id="1" Path="System">
    <!-- RADIUS authentication events User Assigned IP address (20274), User successfully authenticated (20250), User Disconnected (20275)  -->
    <Select Path="System">*[System[Provider[@Name='RemoteAccess'] and (EventID=20274 or EventID=20250 or EventID=20275)]]</Select>
  </Query>
  <Query Id="2" Path="Microsoft-Windows-CAPI2/Operational">
    <!-- CAPI events Build Chain (11), Private Key accessed (70), X509 object (90)-->
    <Select Path="Microsoft-Windows-CAPI2/Operational">*[System[(EventID=11 or EventID=70 or EventID=90)]]</Select>
  </Query>
  <Query Id="3" Path="Security">
    <!-- CA stop/Start events CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted (4896), CA Template loaded (4898) -->
    <Select Path="Security">*[System[(EventID=4880 or EventID = 4881 or EventID = 4896 or EventID = 4898)]]</Select>
  </Query>
  <Query Id="4" Path="Microsoft-Windows-LSA/Operational">
    <!-- Groups assigned to new login (except for well known, built-in accounts)-->
    <Select Path="Microsoft-Windows-LSA/Operational">*[System[(EventID=300)]] and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-20"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-18"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-19"]])</Select>
  </Query>
  <Query Id="5" Path="Security">
    <!-- Logoff events - for Network Logon events-->
    <Select Path="Security">*[System[(EventID=4634)]] and (*[EventData[Data[@Name="LogonType"] = "3"]])</Select>
  </Query>
  <Query Id="6" Path="Security">
    <!-- RRAS events - only generated on Microsoft IAS server -->
    <Select Path="Security">*[System[( (EventID &gt;= 6272 and EventID &lt;= 6280) )]]</Select>
  </Query>
  <Query Id="7" Path="Microsoft-Windows-DNS-Client/Operational">
    <!-- DNS Client events Query Completed (3008) -->
    <Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]</Select>
<!-- suppresses local machine name resolution events -->
<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress>
<!-- suppresses empty name resolution events -->
<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]</Suppress>
  </Query>
  <Query Id="8" Path="Security">
    <!-- Process Terminate (4689) -->
    <Select Path="Security">*[System[(EventID = 4689)]]</Select>
  </Query>
  <Query Id="9" Path="Security">
    <!-- Local credential authentication events (4776), Logon with explicit credentials (4648) -->
    <Select Path="Security">*[System[(EventID=4776 or EventID=4648)]]</Select>
  </Query>
  <Query Id="10" Path="Security">
    <!-- Registry modified events for Operations: New Registry Value created (%%1904), Existing Registry Value modified (%%1905), Registry Value Deleted (%%1906) -->
    <Select Path="Security">*[System[(EventID=4657)]] and ((*[EventData[Data[@Name="OperationType"] = "%%1904"]]) or (*[EventData[Data[@Name="OperationType"] = "%%1905"]]) or (*[EventData[Data[@Name="OperationType"] = "%%1906"]]))</Select>
  </Query>
  <Query Id="11" Path="Security">
    <!-- Request made to authenticate to Wireless network (including Peer MAC (5632) -->
    <Select Path="Security">*[System[(EventID=5632)]]</Select>
  </Query>
  <Query Id="12" Path="Microsoft-Windows-PowerShell/Operational">
    <!-- PowerShell execute block activity (4103), Remote Command(4104), Start Command(4105), Stop Command(4106) -->
    <Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventID=4104 or EventID=4105 or EventID=4106)]]</Select>
  </Query>
  <Query Id="13" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">
    <!-- Detect User-Mode drivers loaded - for potential BadUSB detection. -->
    <Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(EventID=2004)]]</Select>
  </Query>
<Query Id="14" Path="Windows PowerShell">
    <!-- Legacy PowerShell pipeline execution details (800) -->
    <Select Path="Windows PowerShell">*[System[(EventID=800)]]</Select>
  </Query>

</QueryList>

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/0512eab4ba224bd6a9f13630eced692c%40smithcons.com.