Go Up
You are here: DeploymentConfigure IT InfrastructureWindows ServerConfigure Event Log Size and Retention Settings

Adjusting Event Log Size and Retention Settings

Consider that if the event log size is insufficient, overwrites may occur before data is written to the Long-Term Archive and the Audit Database, and some audit data may be lost.

To prevent overwrites, you can increase the maximum size of the event logs and set retention method for these logs to “Overwrite events as needed”. This refers to the following event logs:

  • Application
  • Security
  • System
  • Microsoft-Windows-TaskScheduler/Operational
  • Microsoft-Windows-DNS-Server/Audit (only for DCs running Windows Server 2012 R2 and above)

NOTE: To read about event log settings recommended by Microsoft, refer to this article.

The procedure below provides a possible way to specify the event log settings manually. However, if you have multiple target computers, consider configuring these settings via Group Policy as also described in this section

Manually

To configure the event log size and retention method

  1. On a target server, navigate to Start Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) Event Viewer.
  2. Navigate to Event Viewer tree Windows Logs, right-click Security and select Properties.

  3. Make sure Enable logging is selected.

  4. In the Maximum log size field, specify the size—4GB.
  5. Make sure Do not overwrite events (Clear logs manually) is cleared. If selected, change the retention method to Overwrite events as needed (oldest events first).

NOTE: Make sure the Maximum security log size group policy does not overwrite your log settings. To check this, start the Group Policy Management console, proceed to the GPO that affects your server, and navigate to Computer Configuration Policies Windows Settings Security Settings Event Log.

  1. Repeat these steps for the following event logs:

    • Windows Logs Application
    • Windows Logs System
    • Applications and Services Logs Microsoft Windows TaskScheduler Operational Microsoft-Windows-TaskScheduler/Operational

      NOTE: Configure setting for TaskScheduler/Operational log only if you want to monitor scheduled tasks.

    • Applications and Services Logs Microsoft Windows DNS-Server Audit

      NOTE: Configure setting for DNS log only if you want to monitor DNS changes. The log is available on Windows Server 2012 R2 and above and is not enabled by default. See Microsoft documentation for more information on how to enable this log.

Using Group Policy

Personnel with administrative rights can use Group Policy Objects to apply configuration settings to multiple servers in bulk.

To configure settings for Application, System and Security event logs

  1. Open the Group Policy Management Editor on the domain controller, browse to Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsEvent Log Service.
  2. Select the log you need.
  3. Edit Specify the maximum log file size setting - its value is usually set to 4194240 KB.
  4. Specify retention settings for the log – usually Overwrite as needed.

To configure settings for other logs

  1. Open the registry editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log_name>. For example: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service
  2. Set the MaxSize to the required decimal value (in bytes).

You can configure Group Policy Preferences to push registry changes to the target domain computers. For the example above (Directory Service Log), do the following:

  1. In Group Policy Management Console on the domain controller browse to ComputerPreferencesWindows SettingsRegistry.
  2. Right-click Registry and select NewRegistry Item.
  3. In the Properties window on the General tab select:
    • ActionCreate
    • HiveHKEY_LOCAL_MACHINE
    • Key Path – browse to MaxSize value at SYSTEM\CurrentControlSet\Services\EventLog\Directory Service
  4. Change the MaxSize REG_DWORD to the required decimal value (in bytes).
  5. Save the preferences and link them to the necessary servers (OUs).

When finished, run the gpupdate /force command to force group policy update.

Go Up