More Control over the Event Logging service

Ok, its time for another update in the continuous saga of new Group Policy settings included with Windows Vista. This week I am going to focus on policy settings for the Event Logging Service.

 

For clarity, these settings control the Event Logging service; the service responsible for capturing and writing events throughout Windows. These policy settings do not affect the Event Viewer application.

 

These are some powerful policy settings that allow you to configure five settings for Application, Security, Setup, and System event logs. These categories and their policy settings are located under Computer ConfigurationAdministrative TemplatesWindows ComponentsEvent Log Service. These policy settings are Windows Vista policy settings and apply only to computers running Windows Vista. and can co-exist in policies that apply to clients earlier than Windows Vista. Operating systems other than Windows Vista will ignore the settings.

 

The Log File Path policy setting, when enabled, allows you to provide a specific location where the Event Log service writes its log file. You only provide a path location; Windows maintains the file name.

 

Next is the Maximum log size policy. When enabled, this policy allows you to specify the maximum size of the event log. It supports sizes between one megabyte and two terabytes and uses one-kilobyte increments.

 

The next two policy settings are related. The Event Logging service uses the Retain old events and Back up log automatically when full policy settings when the event log reaches the maximum file size (defaults to 20 MB or the value specified in the Maximum log size policy setting). With the Retain old events policy setting enabled, the Event Logging service will stop writing new events to the event log when the log file reaches or exceeds the maximum value and you will loose all new events. With this policy setting disabled, new events will overwrite old events. When you enabling the Back up log automatically when full and the Retain old events policy settings, the Event Log service will close the current event log, rename it, and then create a new log. The Back up log automatically when full policy setting works only when you enable Retain old events policy setting.

 

The last setting and one that I think is the most beneficial is the Log Access setting. Enabling this setting allows you to enter a security descriptor for the log file. The security descriptor controls who can read, write, or clear the event log. You enter the security descriptor using Security Definition Description Language (SDDL),and is documented in MSDN (https://msdn.microsoft.com/library/en-us/secauthz/security/security_descriptor_string_format.asp).

 

These new policy setting for the Event Logging service provide more flexibility and control before. Using Group Policy to control where event logs are written, how large they can grow, how they are preserved, and who can manage them are key to change control and security auditing.

 

NEXT WEEK: Power Management Part 1 of 2

 

Mike Stephens, Technical Writer, Group Policy