Error log retention shoud be set to meet log retention policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15137	DM3930-SQLServer9	SV-25454r1_rule	ECCR-1 ECCR-2 ECCR-3	Medium

Description
For SQL Server, error logs are used to store system event and system error information. In addition to assisting in correcting system failures or issues that could affect system availability and operation, log information may also be useful in discovering evidence of malicious intent. Management of the error logs requires consideration and planning to prevent loss of security data and maintaining system operation.

Description

For SQL Server, error logs are used to store system event and system error information. In addition to assisting in correcting system failures or issues that could affect system availability and operation, log information may also be useful in discovering evidence of malicious intent. Management of the error logs requires consideration and planning to prevent loss of security data and maintaining system operation.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13785r1_chk )
Review the registry key value: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.# \ MSSQLServer \ NumErrorLogs where [#] indicates the sequence number assigned to the SQL Server instance. Sequence number assignments to instances may be viewed at: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL \[instance name] Review the number assigned for the maximum number of error logs. Confirm this is the number documented in the System Security Plan. If the number is not documented in the System Security Plan or the assigned value does not match the System Security Plan specification, this is a Finding. Review evidence that error log retention is maintained for a minimum of one year. Error logs should be moved offline after 30 days or less depending on system storage capacity.

Check Text ( C-13785r1_chk )

Review the registry key value:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.# \ MSSQLServer \ NumErrorLogs

where [#] indicates the sequence number assigned to the SQL Server instance.

Sequence number assignments to instances may be viewed at:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL \[instance name]

Review the number assigned for the maximum number of error logs. Confirm this is the number documented in the System Security Plan.

If the number is not documented in the System Security Plan or the assigned value does not match the System Security Plan specification, this is a Finding.

Review evidence that error log retention is maintained for a minimum of one year. Error logs should be moved offline after 30 days or less depending on system storage capacity.

Fix Text (F-19682r1_fix)
Review the SQL Server error log usage and determine a strategy for maintenance. The strategy should provide for the longest online retention that is considered meaningful and useful. This is determined over a period for operation and depends upon the amount of log data generated. Error logs must be maintained for a minimum of one year (DG0030). Error logs should be moved offline to satisfy this retention requirement. Design the provision for evidence of retention and allow restoration (for review) of the error logs in the System Security Plan. For SQL Server 2005: From the SQL Server Management Studio GUI: 1. Connect to and expand the SQL Server instance 2. Expand Management 3. Right-click on SQL Server Logs 4. Select Configure 5. Under the General Page, select or deselect Limit the number of error logs before they are recycled 6. Enter the number of error log files determined for the SQL Server instance 7. Click OK

Fix Text (F-19682r1_fix)

Review the SQL Server error log usage and determine a strategy for maintenance.

The strategy should provide for the longest online retention that is considered meaningful and useful. This is determined over a period for operation and depends upon the amount of log data generated.

Error logs must be maintained for a minimum of one year (DG0030). Error logs should be moved offline to satisfy this retention requirement. Design the provision for evidence of retention and allow restoration (for review) of the error logs in the System Security Plan.

For SQL Server 2005:

From the SQL Server Management Studio GUI:

1. Connect to and expand the SQL Server instance
2. Expand Management
3. Right-click on SQL Server Logs
4. Select Configure
5. Under the General Page, select or deselect Limit the number of error logs before they are recycled
6. Enter the number of error log files determined for the SQL Server instance
7. Click OK