Recipe 8.6. Setting the Event Log Retention PolicyProblemYou want to set the retention policy for events. SolutionUsing a gr aphical user interface
Using a command-line interfaceThe following command sets the retention policy for events in a particular event log. Two special values you can set for <TimeInSeconds> are 0 to overwrite as needed and 4294967295 to never overwrite. > reg add \\<ServerName>\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\ <LogName> /t REG_DWORD /v Retention /d <TimeInSeconds> Using VBScript' This code sets the number of days events are kept for an event log. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>" ' e.g., Application intDays = <NumDays> ' e.g., 14 (number of days to keep events) strServer = "<ServerName>" ' e.g., fs01 (use "." for local server) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strServer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _ "Logfilename = '" & strLog & "'") if colLogs.Count <> 1 then WScript.Echo "Fatal error. Number of logs found: " & colLogs.Count WScript.Quit end if for each objLog in colLogs objLog.OverwriteOutdated = intDays objLog.Put_ WScript.Echo strLog & " retention set to " & intDays next DiscussionThere are three basic retention options for event logs:
In the case of the last two options, it is possible for events to not be written to the log because the event log reached its maximum size. With the last option, you need to have a process in place to clear the event log after you've archived the logs. If you do this, be sure to set the maximum size so there is ample space.
See AlsoRecipe 8.7, Recipe 8.11, and MS KB 824245 (The size of the event log cannot be reduced by using Group Policy) |