Problem solve Get help with specific problems with your technologies, process and projects.

Transferring Windows log files from server to central store

Take Win NT and the event logs. TCSEC secure processing at C2 says 'stop processing when logspace full.' If the...

systems are critical and cannot stop, how and what does one use to transfer log files off the server to central store (on or offline does not matter here)? My view is that the first trigger must be size, then time period. The transfer must check the source and destination against spoofing or DoS, and there must be an accuracy check of the copy before the original is overwrighted. Surely, I cannot be the only person faced with this problem?

Alas, the old problem of the ages with Windows logs. Since the beginning of NT back in the 90s this has been a problem. There is a third option you forgot: That is, when the log file fills and the hard drive fill at the same time. NT will not allow you to boot so you can clear the file, thus you are also trapped.

The best solution I have found in any version of Windows is to set an alarm to let you know when the hard drive is 80%, then again at 90% full. Once you hit the 80% mark, you should clear your logs. If you wait till 90%, you may not have a chance. Another solution, if you generate many log files, is to clear them daily (or dump them to another server daily) and set the option to overwrite. Now this does violate infosec principals, BUT (and a big but this is)if the device is critical AND you have alarms set, then you would not need to ever overwrite. But remember that your device is critical and will also allow you to use the overwrite option due to the risk of impacting the client/customers. Overwriting once a year may be acceptable if the risk of doing so is very low and you have procedures around the entire process.

This was last published in November 2002

Dig Deeper on SIEM, log management and big data security analytics

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.