KBI 311161 Missing Windows Event Log Data, Especially In Windows Security Logs


Version

Argent Advanced Technology – Argent for Compliance

Date

Wednesday, 21 Jan 2015

Summary

Data can be lost when reporting on Windows Event Log data, especially the Security Event Log, despite Argent for Compliance consolidating logs without errors

The source of the issue is likely the Relator executing too infrequently

What happens is the Windows Security Event Log rolls over too quickly and Relator’s interval is greater than time range of the Security Log, resulting in missing Event Log data

Technical Background

The Windows Event Logs by default are a fixed size, therefore when the size is reached and new Events are logged the oldest one are dropped off — see highlighted option below Overwrite events as needed (oldest events first)

The default log options are shown here:

*** CRITICAL NOTE ***

The above settings for a single server can be overridden by the Group Policy of Active Directory and it is essential to check Active Directory as well as the individual server’s log settings

As an example of consumption rates, Domain Controllers in a busy environment may only hold 20 minutes of Events in their Security Event Log even if the log size is 256 MB

Therefore the Argent for Compliance Relator schedule must run at least every 10 minutes in order not to miss any Events

A good Rule of Thumb is the execute the Relator at one-quarter the Rollover rate — if the Windows Security Log rolls over every 20 minutes, then set the Relator to run every five minutes; this allows for growth of the Security Log (and thus ever more rapid Rollovers)

Scheduling the Relator at short intervals is not an issue for Argent for Compliance as the ID index of the last event is recorded and used as the continuation point for the next read

Using this High Water Mark technique, Argent never wastes cycles — Argent’s High Water Mark is both fast and efficient without the need to check every Event

For further information see these White Papers and Encyclopedias:

Argent Compliance White Papers – Windows Event Logs

See KBI: Windows Event Logs

If network bandwidth is a concern, see:

See section: How Argent for Compliance Archives Windows Event Logs

Reducing Network Utilization When Consolidating Log Events

Resolution

A good Rule of Thumb is to execute the Relator at one-quarter the Rollover rate — if the Windows Security Log rolls over every 20 minutes, then set the Relator to run every five minutes; this allows for growth of the Security Log (and thus ever more rapid Rollovers)