Create Content for Retaining Windows Logs

[jgstew]

Starting with these logs:

• Security
• System
• Application

Using the Security Log as an example, the current settings seem to be stored here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

While the Group Policies that also affect this are here:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security

It seems like the policies location overrules the other location, which makes sense.

Relevance:

To get the max log size setting (in MB) assuming no policy, then it should be:

(it / 1024) of (it as integer) of values "MaxSize" of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security" of registries

Getting the same but set by policy would be:

(it as integer) of values "MaxSize" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security" of registries

Combined, getting only policy location first, otherwise getting regular location:

(it as integer) of value "MaxSize" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security" of registries | (it / 1024) of (it as integer) of value "MaxSize" of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security" of registries | ERROR "NoValue"

Changing the setting for "archive the log when full, do not overwrite events" in the GUI sets both the AutoBackupLogFiles setting and the Retention values here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

Related:

• https://bigfix.me/fixlet/details/24619
• https://helpcenter.netwrix.com/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html
• https://blogs.manageengine.com/active-directory/2015/03/20/autoarchiving-security-logs-in-event-viewer.html
• https://github.com/strawgate/C3-Inventory/blob/master/Analyses/Event%20Log%20-%20Windows.bes

[jgstew]

Created an analysis here:

• https://github.com/jgstew/bigfix-content/blob/master/analyses/Windows%20Event%20Logs.bes

Computer Summary Example of this analysis:

[jgstew]

Relevance for the fixlet/task to set to retain log files: (using Security as example)

not exists (it as integer) whose(it = 1) of values "AutoBackupLogFiles" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security" of registries

Names of the primary log files:

names of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" of registries

Here is the first of the fixlets to set this value:

• https://github.com/jgstew/bigfix-content/blob/master/fixlet/Event%20Logs%20-%20Retain%20-%20Security%20-%20Windows.bes

[jgstew]

Created automation to generate 3 of these fixlets automatically: https://github.com/jgstew/generate_bes_from_template/blob/master/examples/TEMPLATE_Event_Logs_Retain-LOG-Windows.py