One of my buddies asked how to do the following today:
Suggest the size of the Event logs for a Windows 2003 Infrastructure.
I don't know if there's a hard recommendation from the mothership in Redmond, but I have learned that you should figure this out based on your own environment. My mom-and-pop shop may have fewer entries than your fancy multi-site active directory enterprise. So, we should just get some data, and infer what we should do. Maybe doing this once a week for the first month, and then once a month thereafter should suffice.
Microsoft has, for quite some time, produced a log parsing tool
known as "Log Parser". It's current release (as of June 2006) was version
2.2. It is available as a free download from Microsoft at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
.
The queries I used to get the data of interest would be this.
Get the size of the event log per day for the Application Event log
logparser.exe -i:EVT "SELECT TO_DATE(TimeGenerated), SUM(STRLEN(Message)) FROM Application GROUP BY TO_DATE(TimeGenerated) ORDER BY TO_DATE(TimeGenerated)" -rtp:-1
Get the number of events per day for the application Event log
logparser.exe -i:EVT "SELECT TO_DATE(TimeGenerated), Count(*) FROM Application GROUP BY TO_DATE(TimeGenerated) ORDER BY TO_DATE(TimeGenerated)" -rtp:-1
a smart person might put this data into Excel and calculate the average size per entry, and then draw some conclusions.
Make sure that you record your captured data, your predections, and your actuals so you can make better predections in the future.