Open jeff-bb opened 2 years ago
PrzemyslawKlys
commented
2 years ago If you set event log to even 2GB you're going to have a large surprise when dealing with Event Viewer. This rule mostly focuses on making sure you have it within normal limits. It should be probably much lower.
jeff-bb
commented
2 years ago By large surprise, are you referring to terrible performance when trying to open/search the log file? Yes, I won't argue that. I only set the larger values on things like domain controllers that roll over logs within a few minutes at default values, quicker than they can be pushed up to log aggregation at least. A human never touches the log files. For lower volume sites/DCs we keep it more reasonable.
Nevertheless, for complete accuracy of the rule and regardless of the issues surrounding too large of a file, there is a higher ceiling as well as the divisible by 64 constraints that could be incorporate into the tool.
Feel free to close wontfix, I just wanted to make sure I posted something incase anyone else runs the total and wanted to provide that same feedback.
(Great tool thus far, btw. Thanks).
PrzemyslawKlys
commented
2 months ago You can always propose a PR with a change that brings it to proper values. I'm sure other would benefit
"Security Log Maximum Size smaller then 4GB [High] [Expected value (Less Or Equal): 4000, Found value: 4095.94]"
To be technically accurate, the rule would be more in line with "value is greater than 64, less than 4194240, an even multiple of 64."
In pseudo ps that would be -- value -ge 64 and value -le 4194240 and (value % 64) -eq 0
4194240 is the maximum size to account for FAT 2 file size limits (Arguably it should be 4194304, but various Microsoft tooling stops or produces errors beyond 4194240). If the filesystem is NTFS, technically it could go higher, but various things get upset at this in practice.