Recipe8.6.Setting the Event Log Retention Policy

Previous page
Table of content
Next page

Recipe 8.6. Setting the Event Log Retention Policy

Problem

You want to set the retention policy for events.

Solution

Using a gr aphical user interface

  1. Open the Event Viewer (eventvwr.msc).

  2. In the left pane, right-click on the target event log and select Properties.

  3. You can select one of three options under When maximum log size is reached.

  4. Click OK.

Using a command-line interface

The following command sets the retention policy for events in a particular event log. Two special values you can set for <TimeInSeconds> are 0 to overwrite as needed and 4294967295 to never overwrite.

> reg add \\<ServerName>\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\ <LogName> /t REG_DWORD /v Retention /d <TimeInSeconds>

Using VBScript
' This code sets the number of days events are kept for an event log. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>"        ' e.g., Application intDays = <NumDays>         ' e.g., 14   (number of days to keep events) strServer = "<ServerName>"  ' e.g., fs01 (use "." for local server) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strServer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _                                "Logfilename = '" & strLog & "'") if colLogs.Count <> 1 then    WScript.Echo "Fatal error.  Number of logs found: " & colLogs.Count    WScript.Quit end if for each objLog in colLogs    objLog.OverwriteOutdated = intDays    objLog.Put_    WScript.Echo strLog & " retention set to " & intDays next

Discussion

There are three basic retention options for event logs:


Overwrite events as needed

Once the maximum event log size is reached, the oldest events get overwritten with new events.


Overwrite events older than a certain number of days

Once the maximum event log size is reached, overwrite only those events that are older than the specified number of days. If there are no events older than the specified day, the event won't be written.


Do not overwrite events

Once the maximum event log size is reached, no events are written.

In the case of the last two options, it is possible for events to not be written to the log because the event log reached its maximum size. With the last option, you need to have a process in place to clear the event log after you've archived the logs. If you do this, be sure to set the maximum size so there is ample space.

You can also set the retention policy of the application, system, and security logs via group policy. These settings can be found at the following location within a group policy object: Computer Configuration\Windows Settings\Security Settings\Event Log\.


If you are trying to decrease the maximum event log size using group policy, be sure to look at MS KB 824245.

See Also

Recipe 8.7, Recipe 8.11, and MS KB 824245 (The size of the event log cannot be reduced by using Group Policy)


Previous page
Table of content
Next page
Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen
BUY ON AMAZON
Beginning Cryptography with Java
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Microsoft WSH and VBScript Programming for the Absolute Beginner
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Junos Cookbook (Cookbooks (OReilly))
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy