The log rotation would not have helped you if the malicious user deleted the same day, all the log rotation would have done is to stop "accidental over-writing" that is, so many Security Log events being generated that you lose critical data.

Here is the entry from the Microsoft Threats and Countermeasures Guide about the eventlog settings in GP
http://www.microsoft.com/technet/sec.../tcgch06n.mspx

Note these settings need to be considered together for their overall effect not just one at a time

Other good links:
http://support.microsoft.com/default.aspx?kbid=323076
http://www.microsoft.com/downloads/d...displaylang=en
http://technet2.microsoft.com/window...p/default.mspx

This will only change the way the logs are handled on the machine, you could then have some form of mail in or backup utility to archive or backup the logs the logs at appropriate times.

If you have an administrator who has purposly deleted log files though, then the proverbial horse has already bolted, it doesn't really matter what you do, someone with domain admin privileges can always delete log files on the machine. (unless you SERIOUSLY mess with the ACLs which is not something I would recommend you do lightly)

I agree with rapier57 - this is a serious breach and you may want to get some experts or law enforcement in to chase this up! A review of who has admin access (and perhaps cutting it down for a while) and a good old fashioned "reading of the riot act" to all admins is called for until you can find the culprit.