Windows Server 2003 administrators frequently encounter security log bloating during auditing operations. The default behavior either stops logging when full (if overwrite isn't enabled) or loses historical data (if overwrite is enabled). Neither solution provides the archival capability needed for compliance.
The system provides basic controls through Event Viewer properties:
1. Right-click Security Log → Properties 2. Set maximum log size (recommended 100MB+ for auditing) 3. Choose "Overwrite events as needed" for continuous operation
However, this doesn't address the need for log preservation before rotation.
Create a scheduled task running this PowerShell script weekly:
# EventLogRotator.ps1 $logName = "Security" $archivePath = "C:\LogArchives\Security_$(Get-Date -Format yyyyMMdd).evtx" # Export current log wevtutil epl $logName $archivePath # Clear the active log wevtutil cl $logName # Compress archived log (requires 7-Zip) & "C:\Program Files\7-Zip\7z.exe" a -tzip "$archivePath.zip" $archivePath Remove-Item $archivePath
For systems without PowerShell:
' LogRotator.vbs
Set objShell = CreateObject("WScript.Shell")
logName = "Security"
archivePath = "C:\LogArchives\Security_" & Year(Date) & Month(Date) & Day(Date) & ".evt"
' Export and clear
objShell.Run "wevtutil epl " & logName & " " & archivePath, 0, True
objShell.Run "wevtutil cl " & logName, 0, True
Create the task with these settings:
schtasks /create /tn "Event Log Rotation" /tr "powershell -File C:\Scripts\EventLogRotator.ps1" /sc weekly /d SUN /st 23:00 /ru SYSTEM
For long-term compliance:
- Implement log forwarding to a SIEM system
- Use Windows' built-in "Archive the log when full" option with a custom retention script
- Configure NTFS permissions on archive folder to prevent tampering
Common issues include:
- Insufficient permissions (run as SYSTEM)
- Lack of disk space for archives
- File locks from antivirus scanning
- 7-Zip not installed when using compression
Managing event logs in Windows Server 2003 can be particularly challenging when dealing with security auditing. The security log grows rapidly and requires frequent manual intervention to prevent it from filling up. While enabling overwrite options or relying on backups are possible solutions, a more elegant approach involves automating log rotation.
Here's a PowerShell script that can be scheduled to run periodically, saving and clearing the security log:
# Event Log Rotation Script for Windows Server 2003
$logName = "Security"
$archivePath = "C:\EventLogArchives"
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$archiveFile = "$archivePath\$logName_$dateStamp.evtx"
# Create archive directory if it doesn't exist
if (!(Test-Path $archivePath)) {
New-Item -ItemType Directory -Path $archivePath | Out-Null
}
# Save and clear the log
wevtutil epl $logName $archiveFile
wevtutil cl $logName
To automate this process, you can create a scheduled task that runs the script at regular intervals. Here's the command to create a daily task:
schtasks /create /tn "Event Log Rotation" /tr "powershell.exe -File C:\scripts\RotateEventLogs.ps1" /sc daily /st 23:00
For environments where PowerShell isn't available, you can use the built-in Windows Event Command Utility:
@echo off
set logname=Security
set archivepath=C:\EventLogArchives
set timestamp=%date:~10,4%%date:~4,2%%date:~7,2%_%time:~0,2%%time:~3,2%
if not exist "%archivepath%" mkdir "%archivepath%"
wevtutil epl %logname% "%archivepath%\%logname%_%timestamp%.evtx"
wevtutil cl %logname%
When implementing log rotation:
- Ensure adequate storage space for archived logs
- Consider log retention policies and compliance requirements
- Test the rotation process thoroughly before deployment
- Document the archiving process for audit purposes
To verify your rotation is working correctly, you can check the log properties:
wevtutil gl Security
This will display the current size and maximum size settings for the Security log.