Event Logs
Windows Server and Exchange Server can generate a great deal of information regarding their operation to the Windows event logs. Exchange will generate most of its information to the Application event log and, optionally, to the Audit event log.
Items placed in the Audit event log are typically Success/Failure type of items that are in some way related to security. This includes opening a mailbox, opening a folder, and using SendAs.
Items placed in the Application event log may contain information of practically any type, but are generally separated into one of three levels: Informational, Warning, or Error.
In Windows Server 2008, the event log subsystem of Windows was rebuilt from scratch. Prior to that release of Windows, the total size of all event logs combined (due to an implementation constraint) should never exceed 300 MB. Beginning with Windows Server 2008, that limitation is gone. Regardless of the removal of that restriction, event logs are shipped with default sizes that are quite small. The default sizes in Windows Server 2008 R2 are shown in Table-5.
Table-5: Default Windows Event Log Sizes in Windows Server 2008 R2Event Log Size Application 20 MB Security 128 MB System 20 MB
We recommend that you significantly increase the sizes of your event logs before you need to. When the time comes to diagnose an issue, you will find that difficult (if not impossible) to do if you cannot access all the information that could be available to you.
Viewing the size of a Windows event log (and adjusting it) is a simple matter. Open the Event Viewer in Administrative Tools and expand the Windows Log node. Right-click on a particular event log and select Properties from the context menu. You see the Log Properties dialog for the System event log in the default configuration.
We recommend that you set the sizes of the three primary event logs to the values shown in Table-6 as a minimum. If you have busy servers, you may want to increase these values.
You may also (if you haven't already) consider increasing the size of the System and Security event logs on all your domain controllers (if they are on Windows Server 2008 or later).
The Log Properties dialog includes a setting for controlling the behavior of event logging when the maximum log size is reached. The default is Overwrite Events As Needed. In a security-conscious environment, you may want to set this option to Do Not Overwrite Events (Clear Log Manually). If you set this and the event log fills up before it is either cleared or the maximum number of days is reached, event logging will stop. That is considered a feature - it is designed to prevent intruders or evildoers from covering their tracks by generating additional event logging and thus removing evidence of their evil deeds. However, in the case of the Security log, if the event log fills up the server will Halt. This option is designed to prevent someone from filling up the event log and then continuing activities that would normally generate errors but would not get logged because the file was full.
If you need logging to continue, regardless of the size consumed by event logs and their archives, select Archive The Log When Full (Do Not Overwrite Events).
Event log sizes and event log overwrite settings can be configured manually on a server-by-server basis, or they can be updated using Group Policy. If you have more than a few servers, using Group Policy will be less work. Keep in mind the size limitation that impacts Windows Server 2003 and prior versions of Windows Server. If you try to assign larger event log file sizes on Windows Server 2003, you will cause that server to operate poorly, and it may crash.
Table-6: Recommended Sizes for Event LogsEvent Log Size Application 192 MB (196,608 KB) Security 256 MB (262,144 KB) System 192 MB (196,608 KB)
In Windows Server 2003, the event logs were stored in memory-mapped files, using memory that could not be paged out (that is, nonpaged pool memory). This resulted in less memory available for applications.
The event mechanism rewrite in Windows Server 2008 no longer uses memory-mapped files, and it adds a large number of features (such as eventing and notifications) to the event log subsystem.
System Center Operations Manager 2007, discussed earlier in this tutorial, has a submodule called the Microsoft Audit Collection System (MACS). MACS is designed for reading and archiving the contents of the Security event log (and generating reports from those contents). When OpsMgr is in use, the Security event logs can generally be kept quite small.
In this tutorial:
- Monitoring and Performance for Exchange Server
- Key Performance Monitor Counters
- Memory
- Processor
- Disk
- Disk Performance Counters
- Active Directory for Exchange Server
- Network
- MAPI
- Using System Center Operations Manager
- Modifying Management Pack Objects
- Event Logs
- Defining a Security Audit Policy
- Protocol and Connection Logs
- POP
- Send and Receive Logs