Configuring Event Log Properties
Microsoft® Windows® 2000 Scripting Guide
« Previous | Next »
Depending on the role played by a computer, you might need to change the default event log settings for that computer. If the default settings remain unchanged for all the computers in an organization, a domain controller that records thousands of events each day will be configured exactly the same as a workstation that records only 15 or 20 events a day. As a result, the domain controller might fail to record a number of important events, either because its event logs fill up too quickly or because some events might be overwritten before they can be archived.
Event log properties have typically been configured by means of the Event Viewer, a graphical user utility that has two major limitations: Event Viewer can configure only one event log on a single computer at a time, and Event Viewer cannot automate the process of configuring event logs. Because manually configuring event logs on an individual basis can be very time-consuming, administrators often leave the default settings as-is, even if those settings are not optimal for the roles played by certain computers. In turn, this means important events might not be recorded, or might be overwritten before they can be archived.
WMI enables you to write scripts that can programmatically configure event log properties. Two of the most important properties are shown in Table 12.3.
Table 12.3 Event Log Properties Configurable with WMI
| Property | Description |
|---|---|
| MaxfileSize | Maximum allowable size (in bytes) for the event log. Log files must be sized in increments of 64 KB to prevent file fragmentation. Although you can specify any size for the log file, this will automatically be resized to the nearest multiple of 64 KB. For example, if you specify a file size of 2,200 KB, the actual size will turn out to be 2,240 KB (35 x 64 KB). |
| OverwriteOutdated | Number of days after which a record can be overwritten when an event log reaches its maximum size. Values are the following:
|
When you reconfigure an event log, the changes you make do not take effect until the event log has been cleared. If you want the reconfiguration to take effect immediately, create your script to first reconfigure and then to back up and clear the event log.
Scripting Steps
Listing 12.4 contains a script that configures the maximum size and the overwrite policy for all the event logs on a computer. To carry out this task, the script must perform the following steps:
- Create a constant named wbemFlagUseAmendedQualifiers and set the value to &h2000.
This constant is required when using the Put_ method to apply changes to an event log.
- Create a variable to specify the computer name.
- Use a GetObject call to connect to the WMI namespace root\cimv2, and set the impersonation level to "impersonate."
The Security privilege is included in the moniker so that the script can access all the event logs, including the Security event log.
- Use the ExecQuery method to query the Win32_NTEventLogFile class. This returns a collection consisting of all the event logs on the computer.
- Retrieve the name of the first event log in the connection.
- Set the maximum file size to 400 megabytes (approximately 4194304).
- Set the overwrite policy so that all records older than 14 days are overwritten.
- Use the Put_ method to write the changes to the event log. You must include the wbemFlagUseAmendedQualifiers flag, or the script will fail.
- Repeat the process with the next event log in the collection.
Listing 12.4 Configuring Event Log Properties
|
|
 Send us your feedback | « Previous | Next » |
EAN: N/A
Pages: 635