As we've used Netwrix Account Lockout Examiner for a few years now with all recommended DC auditing logs enabled, I have built up a huge history of audits.
This is causing Lockout Examiner to struggle to open and has become very laggy in usage. All the guides I can find only talk about how to enable auditing, but not how to set any sort of retention policy for the data.
Does anyone have any suggestions to help me configure my DCs to purge the audit logs after 6 months?
Hi Kirill, I tried your snippet on a test machine and it looks like it was trying to delete the .evtx files themselves if they were created more than 6 months ago, rather than purging log entries.
Example error:
At line:1 char:125
+ Get-Childitem C:\Windows\System32\winevt\Logs\*.evtx | Where-Object { $_.CreationTime -lt $Now.AddMonths(-6) } | Remove-Item <<<< -Force -Recurse
+ CategoryInfo : WriteError: (C:\Windows\Syst...ogies Logs.evtx:FileInfo) [Remove-Item], IOException
+ FullyQualifiedErrorId : RemoveFileSystemItemIOError,Microsoft.PowerShell.Commands.RemoveItemCommand
Remove-Item : Cannot remove item C:\Windows\System32\winevt\Logs\System.evtx: The process cannot access the file 'C:\Windows\System32\winevt\Logs\System.evtx' because it is being used by another process.
I'll keep searching myself, thanks for your input so far!
Oh, I thought you mean archives(files) of security event log.
As far as I know there is only one option to clear the entire event log, further you may reduce its maximum size to store less number of events and have retention policy "Overwrite events as needed...", but please note the security event log should include the events at least for last 24 hours.
Just in case security event log is memory mapped and if you reduce its maximum size it should also improve performance of the server.
I'm looking now at the Windows Logs\Security in Event Viewer on my DCs, The Security log is set to 131 MB and contains a few days of events, as expected. However, Account Lockout Examiner is getting lockout event data back to 2016 from.. somewhere?
Looking in Resource Monitor at the Network Activity, I see ALEService.exe is reading data from pretty much all my servers and computers on the network -- is this to be expected? I thought it just talked to the Domain Controllers.
ALE collects 4740(lockout) event id from domain controller (or domain controllers depending on settings of ALE) and 4625(failed logon attempt) from workstations.
OK thank you. This explains why I'm seeing traffic between my workstation and many other endpoints. ALEService.exe is regularly pulling around 500,000 B/sec from my domain controllers, peaking to over 1,000,000 B/sec.
1-949-407-5125
