Ask the Expert

Transferring Windows log files from server to central store

Take Win NT and the event logs. TCSEC secure processing at C2 says 'stop processing when logspace full.' If the systems are critical and cannot stop, how and what does one use to transfer log files off the server to central store (on or offline does not matter here)? My view is that the first trigger must be size, then time period. The transfer must check the source and destination against spoofing or DoS, and there must be an accuracy check of the copy before the original is overwrighted. Surely, I cannot be the only person faced with this problem?

    Requires Free Membership to View

Alas, the old problem of the ages with Windows logs. Since the beginning of NT back in the 90s this has been a problem. There is a third option you forgot: That is, when the log file fills and the hard drive fill at the same time. NT will not allow you to boot so you can clear the file, thus you are also trapped.

The best solution I have found in any version of Windows is to set an alarm to let you know when the hard drive is 80%, then again at 90% full. Once you hit the 80% mark, you should clear your logs. If you wait till 90%, you may not have a chance. Another solution, if you generate many log files, is to clear them daily (or dump them to another server daily) and set the option to overwrite. Now this does violate infosec principals, BUT (and a big but this is)if the device is critical AND you have alarms set, then you would not need to ever overwrite. But remember that your device is critical and will also allow you to use the overwrite option due to the risk of impacting the client/customers. Overwriting once a year may be acceptable if the risk of doing so is very low and you have procedures around the entire process.


This was first published in November 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: