Managing Windows 2000 Security Logs

Thursday Nov 2nd 2000 by Brien M. Posey

When your Windows 2000 security log fills up, you really only have two choices: archive the log or overwrite it. Increasing the size of the log is a temporary solution because it inevitably fills up again.

If you've ever tried to monitor your server for security breaches, you know just how fast those security logs can fill up. Fortunately, there are steps you can take to deal with a full security log, as I'll explain in this article.

Archive or Overwrite?

When a security log fills up, you really have only two choices: You can either archive the security log or you can overwrite it. Of course, you can always increase the maximum size of the log, but doing so requires more hard disk space. Increasing the size of the security log is also only a temporary solution, because the log will inevitably fill up again; it's just a matter of time.


If you want to adjust the maximum size of your security log or you want to overwrite it when it becomes full, you can do so by opening the Event Viewer console and right-clicking on the security log. Select Properties from the context menu to open the log's properties sheet. This properties sheet contains a couple of options. First, you can set the maximum size to which you want the security log to grow. If you decide to take the overwrite option, you can do so by selecting the Overwrite As Needed option. When you do, Windows will replace the oldest events with new events as the log becomes full.


You can get an exclusive new technical article by Windows 2000 expert Brien Posey in your e-mail box every week. Just take a moment to sign up for the CrossNodes Windows Networking Tech Notes newsletter.

In some organizations, such as the military, the security logs are too important to simply be overwritten. In such organizations, it's better to archive the old security logs so that you always have them on file. To archive a security log, open the Event Viewer console and right-click on the security log. Select the Clear All Events command from the context menu. At this point, you'll see a message asking if you want to archive the logs before clearing them. Click Yes, and a Save As style dialog box will open. Enter a name for the archived log, but be sure to use the file extension .EVT. I find it helpful to base the filename on the dates contained within the logs.

Once you've archived a security log, you can view the archived log by going into the Event Viewer console and right-clicking on the security log. Select Open Log File from the context menu. You'll now see an Open dialog box. Select the file name that you used to save the archived log. Next, select Security from the Log Type list and click Open. The archived log file will appear in the Event Viewer console. Keep in mind that when you're viewing an archived log, the Refresh and Clear All Events commands don't work. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved