Windows Event Viewer logs store useful information that is necessary for analyzing the status of services and applications in Windows, troubleshooting errors, and accounting for security incidents. By default, the sizes of Event Viewer logs in Windows are limited and when the file sizes are exceeded, new events start overwriting the old ones. If too many events are sent to the Event Viewer, only the last few hours of events may be logged, which may not be sufficient for efficient monitoring and log analysis.
To prevent old events from being overwritten, and to ensure that you always have events for a sufficient period of time, you can increase the maximum size of the event viewer log.
How to set Windows Event Log size with PowerShell?
Windows event log files are stored
%SystemRoot%\System32\Winevt\Logs\ as directory .evtx files. Note that there is a separate file for each log. So you can only manage the maximum size of the Windows log you need and leave the default settings for the others.
You can use PowerShell to view the current limits for all enabled Event Viewer logs on Windows:
You can use the Get-WinEvent cmdlet to obtain the size of a specific event log file. For example, here’s how you can get the current and maximum size of the security log file:
Get-WinEvent -ListLog Security| Select MaximumSizeInBytes, FileSize, IsLogFull, OldestRecordNumber, IsEnabled, LogMode
To increase the max size of the log, you can use
wevtutul Command line tool (new size is set in KB):
wevtutil sl "Application" /ms:200000
Or you can use PowerShell to set a new maximum application log file size:
Limit-Eventlog -Logname Application -MaximumSize 200MB -OverflowAction OverwriteOlder
Adjusting the Event Log File Size from the Event Viewer Console
The easiest way to increase the maximum log size is directly from the Event Viewer console.
- Open the Event Viewer MMC snap-in (
- Select the required log (for example, Security) and open its properties;
- set a new limit under Max Log Size (KB) and save changes;
- You can also select the action to be taken when the maximum log file size is reached:
Overwrite events as needed (oldest events first) – This mode is used by default and means that new events overwrite old ones.
store the log on completion, don’t overwrite the event – is stored in the current event log
\System32\Winevt\Logs\When the folder is full, new events are written to a new EVTX file. You can access archived event files through the Saved Logs menu in Event Viewer.
Do not overwrite events (manually clear the log) – Enable this option to prevent your old events from being overwritten. Note that the log must be manually cleared for new events to be written.
Increase the size of Windows Event Log files using GPO
You can use Group Policies to centrally manage the size of event log files on computers or servers in an Active Directory domain.
- Run the Group Policy Management snap-in (
gpmc.msc), create a new GPO, and link it to the organizational units with the computers or servers for which you want to change the Event Viewer setting (you can also link the GPO to the domain root);
- Navigate to the following GPO section computer configuration , policies , Administrative Templates , windows componentNT -> event log service, This directory contains nodes for managing basic Windows logs:
Application Security Setup System
- To increase the maximum log size, select Specify maximum log file size (KB) option, enable it and set the required size,
- Update the Group Policy settings on the client and check that the new maximum log file is now specified in the Log Properties and you cannot change it. If you try to set a different size, an error will appear:
Event Viewer The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 61440 KB
Note that the GPO section described above does not have options for other event logs. Applications and Services Log -> Microsoft, If you need to increase the size of any other event log (besides the standard one), you can do it through the registry. Windows Event Log Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\
In this example, we’re going to increase the size of directory service Log on to the domain controllers. The settings of this log are stored in the following registry key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service.
- Open GPO and go computer configuration , Like , windows settings , registry;
- choose New , registry item,
- Create a new registry parameter with the following settings:
Hive: HKEY_LOCAL_MACHINE Key path: SYSTEM\CurrentControlSet\Services\EventLog\Directory Service Value name: MaxSize Value type: REG_DWORD Value data: 52428800 (the maximum file size is given in bytes. In our example it is 50 MB.)
- Check that there is a maximum log size after updating the GPO on the DC.
By increasing the size of the Windows Event Log, you can get more information over a longer period of time. For example, you can use the event log to retrieve Windows reboot history, find out who deleted a file from a shared network folder, or who changed NTFS permissions.
Leave a Comment