8.6. Setting the Event Log Retention Policy

Problem

You want to set the retention policy for events.

Solution

Using a gr aphical user interface

  1. Open the Event Viewer (eventvwr.msc).

  2. In the left pane, right-click on the target event log and select Properties.

  3. You can select one of three options under When maximum log size is reached.

  4. Click OK.

Using a command-line interface

The following command sets the retention policy for events in a particular event log. Two special values you can set for <TimeInSeconds> are 0 to overwrite as needed and 4294967295 to never overwrite.

> reg add \\<ServerName>\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\
<LogName> /t REG_DWORD /v Retention /d <TimeInSeconds>

Using VBScript

' This code sets the number of days events are kept for an event log.
' ------ SCRIPT CONFIGURATION ------
strLog = "<LogName>"        ' e.g., Application
intDays = <NumDays>         ' e.g., 14   (number of days to keep events)
strServer = "<ServerName>"  ' e.g., fs01 (use "." for local server)
' ------ END CONFIGURATION ---------
set objWMI = GetObject("winmgmts:\\" & strServer & "\root\cimv2")
set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _
                               "Logfilename = '" & strLog & "'")
if colLogs.Count <> 1 then
   WScript.Echo "Fatal error.  Number of logs found: " & colLogs.Count
   WScript.Quit
end if
for each objLog in colLogs
   objLog.OverwriteOutdated = intDays
   objLog.Put_
   WScript.Echo strLog & " retention set to " & intDays
next

Discussion

There are three basic retention options for ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.