Event log sizes do not meet minimum requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1118	5.002	SV-16946r1_rule	ECRR-1	Medium

Description
Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel.

STIG	Date
Windows Vista Security Technical Implementation Guide	2013-10-01

Details

Check Text ( C-16639r1_chk )
Vista/2008 - If the following registry values don’t exist or are not configured as specified, then this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: Software\Policies\Microsoft\Windows\EventLog\Application Value Name: MaxSize Type: REG_DWORD Value: 32768 Subkey: Software\Policies\Microsoft\Windows\EventLog\Security Value Name: MaxSize Type: REG_DWORD Value: 81920 Subkey: Software\Policies\Microsoft\Windows\EventLog\Setup Value Name: MaxSize Type: REG_DWORD Value: 32768 Subkey: Software\Policies\Microsoft\Windows\EventLog\System Value Name: MaxSize Type: REG_DWORD Value: 32768 Documentable: Yes Documentable Explanation: If the machine is configured to write an event log directly to an audit server, the “Maximum log size” for that log does not have to conform to the requirements above. This should be documented with the IAO.

Check Text ( C-16639r1_chk )

Vista/2008 - If the following registry values don’t exist or are not configured as specified, then this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE

Subkey: Software\Policies\Microsoft\Windows\EventLog\Application
Value Name: MaxSize
Type: REG_DWORD
Value: 32768

Subkey: Software\Policies\Microsoft\Windows\EventLog\Security
Value Name: MaxSize
Type: REG_DWORD
Value: 81920

Subkey: Software\Policies\Microsoft\Windows\EventLog\Setup
Value Name: MaxSize
Type: REG_DWORD
Value: 32768

Subkey: Software\Policies\Microsoft\Windows\EventLog\System
Value Name: MaxSize
Type: REG_DWORD
Value: 32768

Documentable: Yes
Documentable Explanation: If the machine is configured to write an event log directly to an audit server, the “Maximum log size” for that log does not have to conform to the requirements above. This should be documented with the IAO.

Fix Text (F-16018r1_fix)
Configure the following policy values as listed below: Computer Configuration -> Administrative Templates -> Windows Components -> Event Log Service -> Application -> “Maximum Log Size (KB)” will be set to “Enabled:32768” Security -> “Maximum Log Size (KB)” will be set to “Enabled:81920” Setup -> “Maximum Log Size (KB)” will be set to “Enabled:32768” System -> “Maximum Log Size (KB)” will be set to “Enabled:32768”

Fix Text (F-16018r1_fix)

Configure the following policy values as listed below:

Computer Configuration -> Administrative Templates -> Windows Components -> Event Log Service ->

Application -> “Maximum Log Size (KB)” will be set to “Enabled:32768”
Security -> “Maximum Log Size (KB)” will be set to “Enabled:81920”
Setup -> “Maximum Log Size (KB)” will be set to “Enabled:32768”
System -> “Maximum Log Size (KB)” will be set to “Enabled:32768”