I have several member servers in my domain, and it seems that the security logs are being overwritten almost every day. Is the retention policy set on the default domain policy, or can I set this on the OU that the servers are in? I think the logs are being overwritten because I keep getting the filtering platform audit failure.

I have several member servers in my domain, and it seems that the security logs are being overwritten almost every day. Is the retention policy set on the default domain policy, or can I set this on the OU that the servers are in? I think the logs are being overwritten because I keep getting the filtering platform audit failure. Hi "Zeb"; first of all, let me state that what I'm suggesting isn't an "official solution", that said it's something which may help you avoiding your issue and, at the same time, centralizing the logs which in turn means more ease when it comes to check them The idea is to install on the various boxes a service which will forward the (desired) eventlog entries to a central "syslog" server; for such a purpose you may use this program or this other one; by the way, before setting up them and since you'll need to point them to a "syslog" server, you'll need to install such an app; a possible solution may be this one; the app implements a standard, vanilla "syslogd" then, by the way, there are other similar programs around Using the above approach you won't even need to care about eventlog rotation since, in any case, all the desired events will be sent to the central logging server Also notice that the "syslog" isn't just something you may use for the above purpose, there are several platforms and devices (routers, firewalls, printers...) which support the "syslog" logging, this means that having a "syslog" server in place will allow you to collect all your logs in a single place and ease management

Hi zeb2100, Thank you for your post. Open event viewer console, right click security log properties, you could set max log size or change overwrite events as needed to Archive the log when full, do not overwrite events. To Group policy, run rsop.msc command on your server, find if Maximum security log size defined in Computer Configuration--Windows Settings--Security Settings--Event Log. If there are more inquiries on this issue, please feel free to let us know.Regards, Rick Tan

Hi zeb2100, Thank you for your post. Open event viewer console, right click security log properties, you could set max log size or change overwrite events as needed to Archive the log when full, do not overwrite events. To Group policy, run rsop.msc command on your server, find if Maximum security log size defined in Computer Configuration--Windows Settings--Security Settings--Event Log. If there are more inquiries on this issue, please feel free to let us know.Regards, Rick Tan