Why are AuthAnvil event logs important?
As with most Windows applications, event logs are a valuable piece of logging data to keep track of significant system occurrences. Since your AuthAnvil server is responsible for the security and protection of critical logins, it is important to maintain all logging data.
By default, Windows event logs follow a "First-in, First-out" rule, meaning the older event logs will be overwritten once a certain log reaches its maximum capacity. This can be a security issue, as system-critical logging information may be automatically wiped out as new logging data takes up space. For a company under PCI or HIPAA compliance, keeping accurate auditing information can be the difference between due diligence and a potential lawsuit.
How can I protect my event logs from being overwritten?
1. Configure logs not to overwrite events
In the Event Viewer (eventvwr.msc) configure the following settings for Application, Security, and System logs. Depending on the software installed, you may also want to follow these steps for the AuthAnvil and AAWinLogonCP logs under "Applications and Services Logs":
- Right-click on the log name and select Properties
- Define a Maximum log size that reflects a large log storage without using too much disk space. 20480 KB (default) can store approximately 30,000 logs depending on the logging data
- In the General tab, select Do not overwrite event (Clear logs manually) to prevent logs from being removed when the logs are full
2. Consider modifying Group Policy to shut down the system if it is unable to log data
Group Policy configuration can prevent any logs from being thrown away or overwritten by shutting down the machine. This is a possible configuration when audit logs are more important than system uptime, for example in cases of meeting compliance standards.
Microsoft TechNet has a useful article on this subject: http://technet.microsoft.com/en-us/library/jj852263.aspx
3. Regularly back up the event logs
Backing up the event logs is an important step to maintaining proper data flow. Although you can manually save out logs through the Event Viewer interface, it is recommended to script regular backups so they will occur automatically.
This reference includes information on scripting the backup process, which can be configured in a Scheduled Task: http://technet.microsoft.com/en-us/library/ee176696.aspx
If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to firstname.lastname@example.org.