KBI 311161 Missing Windows Event Log Data, Especially In Windows Security Logs
Version
Argent Advanced Technology – Argent for Compliance
Date
Wednesday, 21 Jan 2015
Summary
Data can be lost when reporting on Windows Event Log data, especially the Security Event Log, despite Argent for Compliance consolidating logs without errors
The source of the issue is likely the Relator executing too infrequently
What happens is the Windows Security Event Log rolls over too quickly and Relator’s interval is greater than time range of the Security Log, resulting in missing Event Log data
Technical Background
The Windows Event Logs by default are a fixed size, therefore when the size is reached and new Events are logged the oldest one are dropped off — see highlighted option below Overwrite events as needed (oldest events first)
The default log options are shown here:
*** CRITICAL NOTE ***
The above settings for a single server can be overridden by the Group Policy of Active Directory and it is essential to check Active Directory as well as the individual server’s log settings
As an example of consumption rates, Domain Controllers in a busy environment may only hold 20 minutes of Events in their Security Event Log even if the log size is 256 MB
Therefore the Argent for Compliance Relator schedule must run at least every 10 minutes in order not to miss any Events
A good Rule of Thumb is the execute the Relator at one-quarter the Rollover rate — if the Windows Security Log rolls over every 20 minutes, then set the Relator to run every five minutes; this allows for growth of the Security Log (and thus ever more rapid Rollovers)
Scheduling the Relator at short intervals is not an issue for Argent for Compliance as the ID index of the last event is recorded and used as the continuation point for the next read
Using this High Water Mark technique, Argent never wastes cycles — Argent’s High Water Mark is both fast and efficient without the need to check every Event
For further information see these White Papers and Encyclopedias:
Argent Compliance White Papers – Windows Event Logs
See KBI: Windows Event Logs
If network bandwidth is a concern, see:
See section: How Argent for Compliance Archives Windows Event Logs
Reducing Network Utilization When Consolidating Log Events
Resolution
A good Rule of Thumb is to execute the Relator at one-quarter the Rollover rate — if the Windows Security Log rolls over every 20 minutes, then set the Relator to run every five minutes; this allows for growth of the Security Log (and thus ever more rapid Rollovers)