Recipe 16.6. Setting the Event Log Retention Policy


Problem

You want to set the retention policy for events. This is necessary to prevent events from accumulating without bound and eventually filling up the hard disk.

Solution

Using a graphical user interface

  1. Open the Event Viewer (eventvwr.msc).

  2. In the left pane, right-click on the Target Event Log and select Properties.

  3. You can select one of three options under When Maximum Log Size Is Reached.

  4. Click OK.

Using the Registry

To configure the maximum size of an event log, set the following Registry value:

Key: HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\Eventlog\<LogName> Value Name: Retention Value Type: REG_DWORD Value Data: <TimeInSeconds>

Replace <LogName> with the name of the event log you want to configure (e.g., Application) and <TimeinSeconds> with the number of seconds to keep events. Two special values you can set for <TimeInSeconds> are 0, to have events overwrite as needed, and 4294967295 (hexadecimal: ffffffff) to never overwrite events.

Using Group Policy

You can set the retention policy for the three default event logs using these Group Policy settings:

\Computer Configuration\Windows Settings\Security Settings\Event Log\ Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log

Using VBScript
' This code sets the number of days events are kept for an event log. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>"        ' e.g. Application intDays = <NumDays>         ' e.g. 14   (number of days to keep events) strComputer = "<ComputerName>"  ' e.g. wks01 (use "." for local machine) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _                                "Logfilename = '" & strLog & "'") if colLogs.Count <> 1 then    WScript.Echo "Fatal error.  Number of logs found: " & colLogs.Count    WScript.Quit end if for each objLog in colLogs    objLog.OverwriteOutdated = intDays    objLog.Put_    WScript.Echo strLog & " retention set to " & intDays next

Discussion

There are three basic retention options for event logs:


Overwrite events as needed

Once the maximum event log size is reached, the oldest events get overwritten with new events.


Overwrite events older than a certain number of days

Once the maximum event log size is reached, overwrite only those events that are older than the specified number of days. If there are no events older than the specified day, the event won't be written.


Do not overwrite events

Once the maximum event log size is reached, no events are written.

With the last two options, it is possible for events to not be written to the log because the event log reached its maximum size. In this case, you'd need to implement a process to archive and then clear the event log after a period. If you do this, be sure to set the maximum size so there is ample space.

See Also

Recipe 16.7 for clearing an event log, and Recipe 16.11 for archiving an event log



Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net