18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'

Information

This policy setting controls Event Log behavior when the log file reaches its maximum size.

The recommended state for this setting is: Disabled.

Note: Old events may or may not be retained according to the Backup log automatically when full policy setting.

Rationale:

If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\System\Control Event Log behavior when the log file reaches its maximum size

Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.

Default Value:

Disabled. (When a log file reaches its maximum size, new events overwrite old events.)

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CCE|CCE-33729-5, CSCv7|6.4

Plugin: Windows

Control ID: 6c71add4f111212d5ccb53bec3f21ca53b337c9e48fd40d54a12d47b69c10625