Granular Windows Event Log Control - Log but don't retain certain event IDs
I'm messing around in VM lab and using the graylog sidecar (a process which watches the Windows event log and forwards events to a central log collector) and I have a situation where I want to send a certain log to a central system but I don't want the event stored on the local system?
I'll use event ID 5154 as an example. I would like to centrally retain these but, when enabled, it causes the windows event log to rotate so frequently that manual investigation of a system's eventlog is hindered.
Is it possible to do one of the following things:
- Configure Windows to log 5154 but only retain a max number of events of that type? For instance, instead of rotating the log at a fixed size, rotate entries of that event at say 10,000 records?
- Configure Windows to 'log' the event in such a way that a log forwarding agent (or WEF? not very familiar with the mechanisms of it) would see the event but it wouldn't clutter the local windows log?
Appreciate any help!
Solution 1:
No, this is not possible. You can control which events to log in the first place with an audit policy, but not to only retain certain events long-term.
For one, how would the Windows event log know that the event was successfully sent to a back-end DB?
Second, it would mess with the integrity of the event log as well, as each event has a sequential number.
Your only option is to frequently backup the local event log and compress it to save space. I'm not sure why you would need to retain the event logs locally anyways if you're sending them to a remote destination?