ProblemYou want to set the retention policy for events. This is necessary to prevent events from accumulating without bound and eventually filling up the hard disk. SolutionUsing a graphical user interface
Using the RegistryTo configure the maximum size of an event log, set the following Registry value: Key: HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\Eventlog\<LogName> Value Name: Retention Value Type: REG_DWORD Value Data: <TimeInSeconds> Replace <LogName> with the name of the event log you want to configure (e.g., Application) and <TimeinSeconds> with the number of seconds to keep events. Two special values you can set for <TimeInSeconds> are 0, to have events overwrite as needed, and 4294967295 (hexadecimal: ffffffff) to never overwrite events. Using Group PolicyYou can set the retention policy for the three default event logs using these Group Policy settings: \Computer Configuration\Windows Settings\Security Settings\Event Log\ Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Using VBScript' This code sets the number of days events are kept for an event log. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>" ' e.g. Application intDays = <NumDays> ' e.g. 14 (number of days to keep events) strComputer = "<ComputerName>" ' e.g. wks01 (use "." for local machine) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _ "Logfilename = '" & strLog & "'") if colLogs.Count <> 1 then WScript.Echo "Fatal error. Number of logs found: " & colLogs.Count WScript.Quit end if for each objLog in colLogs objLog.OverwriteOutdated = intDays objLog.Put_ WScript.Echo strLog & " retention set to " & intDays next DiscussionThere are three basic retention options for event logs:
With the last two options, it is possible for events to not be written to the log because the event log reached its maximum size. In this case, you'd need to implement a process to archive and then clear the event log after a period. If you do this, be sure to set the maximum size so there is ample space. See AlsoRecipe 16.7 for clearing an event log, and Recipe 16.11 for archiving an event log |