Take Win NT and the event logs. TCSEC secure processing at C2 says 'stop processing when logspace full.' If the systems are critical and cannot stop, how and what does one use to transfer log files off the server to central store (on or offline does not matter here)? My view is that the first trigger must be size, then time period. The transfer must check the source and destination against spoofing or DoS, and there must be an accuracy...
check of the copy before the original is overwrighted. Surely, I cannot be the only person faced with this problem?
Alas, the old problem of the ages with Windows logs. Since the beginning of NT back in the 90s this has been a problem. There is a third option you forgot: That is, when the log file fills and the hard drive fill at the same time. NT will not allow you to boot so you can clear the file, thus you are also trapped.
The best solution I have found in any version of Windows is to set an alarm to let you know when the hard drive is 80%, then again at 90% full. Once you hit the 80% mark, you should clear your logs. If you wait till 90%, you may not have a chance. Another solution, if you generate many log files, is to clear them daily (or dump them to another server daily) and set the option to overwrite. Now this does violate infosec principals, BUT (and a big but this is)if the device is critical AND you have alarms set, then you would not need to ever overwrite. But remember that your device is critical and will also allow you to use the overwrite option due to the risk of impacting the client/customers. Overwriting once a year may be acceptable if the risk of doing so is very low and you have procedures around the entire process.
Dig deeper on Security Event Management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.