Jump to content


Photo

Too many audit logs!


  • Please log in to reply
6 replies to this topic

#1 andrew.carpenter

andrew.carpenter

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 09 May 2019 - 10:59 AM

As we've used Netwrix Account Lockout Examiner for a few years now with all recommended DC auditing logs enabled, I have built up a huge history of audits.

 

This is causing Lockout Examiner to struggle to open and has become very laggy in usage.  All the guides I can find only talk about how to enable auditing, but not how to set any sort of retention policy for the data.

 

Does anyone have any suggestions to help me configure my DCs to purge the audit logs after 6 months?

 

Many thanks, any relevant advice appreciated.



#2 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 111 posts
  • Gender:Male

Posted 09 May 2019 - 11:10 AM

Hi there,
 
it may be done using powershell, like this:
 
$Now=Get-Date
Get-Childitem C:\Windows\System32\winevt\Logs\*.evtx | Where-Object { $_.CreationTime -lt $Now.AddMonths(-6) } | Remove-Item -Force -Recurse
 
You may also create a task to run cmdlet on monthly basis.

Best regards,
Forum Engineer
 


#3 andrew.carpenter

andrew.carpenter

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 09 May 2019 - 02:09 PM

Hi Kirill, I tried your snippet on a test machine and it looks like it was trying to delete the .evtx files themselves if they were created more than 6 months ago, rather than purging log entries.  

 

Example error:

 

At line:1 char:125
+ Get-Childitem C:\Windows\System32\winevt\Logs\*.evtx | Where-Object { $_.CreationTime -lt $Now.AddMonths(-6) } | Remove-Item <<<<  -Force -Recurse
    + CategoryInfo          : WriteError: (C:\Windows\Syst...ogies Logs.evtx:FileInfo) [Remove-Item], IOException
    + FullyQualifiedErrorId : RemoveFileSystemItemIOError,Microsoft.PowerShell.Commands.RemoveItemCommand
Remove-Item : Cannot remove item C:\Windows\System32\winevt\Logs\System.evtx: The process cannot access the file 'C:\Windows\System32\winevt\Logs\System.evtx' because it is being used by another process.

I'll keep searching myself, thanks for your input so far!  :)



#4 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 111 posts
  • Gender:Male

Posted 09 May 2019 - 03:19 PM

Oh, I thought you mean archives(files) of security event log.

 

As far as I know there is only one option to clear the entire event log, further you may reduce its maximum size to store less number of events and have retention policy "Overwrite events as needed...", but please note the security event log should include the events at least for last 24 hours.

 

Just in case security event log is memory mapped and if you reduce its maximum size it should also improve performance of the server.


Best regards,
Forum Engineer
 


#5 andrew.carpenter

andrew.carpenter

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 09 May 2019 - 03:30 PM

I'm looking now at the Windows Logs\Security in Event Viewer on my DCs, The Security log is set to 131 MB and contains a few days of events, as expected.  However, Account Lockout Examiner is getting lockout event data back to 2016 from.. somewhere?  

 

Looking in Resource Monitor at the Network Activity, I see ALEService.exe is reading data from pretty much all my servers and computers on the network -- is this to be expected?  I thought it just talked to the Domain Controllers.



#6 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 111 posts
  • Gender:Male

Posted 09 May 2019 - 03:36 PM

ALE collects 4740(lockout) event id from domain controller (or domain controllers depending on settings of ALE) and 4625(failed logon attempt) from workstations.


Best regards,
Forum Engineer
 


#7 andrew.carpenter

andrew.carpenter

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 13 May 2019 - 09:59 AM

OK thank you.  This explains why I'm seeing traffic between my workstation and many other endpoints.  ALEService.exe is regularly pulling around 500,000 B/sec from my domain controllers, peaking to over 1,000,000 B/sec.






0 user(s) are reading this topic

0 members, guests, anonymous users