If you ever wondered how to setup a custom event viewer log size through Group Policy, and all Google or Bing told you was this:

located at:

• “Computer Configuration”.

• “Policies”.

• “Windows Settings”.

• “Security Settings”.

• “Event Log”.

OR this:

Located at:

• “Computer Configuration”.

• “Policies”.

• “Administrative Templates”.

• “Windows Components”.

• “Event Log Service”.

Welcome to the bandwagon 🙂

 

The above Event Viewer Group Policies allow you to setup (among other options), the Windows Event Viewer “Application”, “Security” and “System” Log Size (only...).

• What if you wanted to specify a custom log size for “other” Event Viewer Logs?

That is especially true/useful/important/whatever when you wanna spread your Windows Server Roles to multiple Domain Controllers and Member Servers.

If you have additional roles, you’ll notice your Event Viewer sports additional entries.

Here’s an example (taken from a Domain Controller):

IF you run eventvwr.exe on your DC, you’ll find out you have those additional “Application and Services Logs”.

• “Directory Service”, for example, logs all the Active Directory service-related activities.

'Though you'll also notice there’s no default “Group Policy”-way to setup the extra logs file size to your liking to /all your Servers/ in /one single shot/.

Worry no more now - here comes a solution (actually two)!

There are two ways to configure Custom Event Log size via Group Policies:

1. Download my custom EventLogs Group Policy ADMX/ADML Templates, load into your gpmc & customise to your liking.
2. Customise some regkeys to your liking then push those key-changes through Group Policy “Registry” Preferences.

1. Andrea’s custom EventLogs Group Policy ADMX/ADML Templates.

My EventLogs Group Policy ADMX/ADML Templates allow you to customise the Maximum Event Log Size of the following Windows Event Logs:

• Active Directory.
• DFS Replication.
• DNS Server.
• File Replication Service.
• Forwarded Events.
• Hardware Events.
• Windows PowerShell.

To use my custom EventLogs Group Policy ADMX/ADML Templates, click on the following link:

Andrea’s custom EventLogs Group Policy ADMX/ADML Templates.

(As an alternative, head to the “Downloads”-Section and fetch from there).

• Once you obtain the (tiny) package, locate and open your Group Policy Templates Store.

Your Templates Store may be held on your workstation or on a “Central Store” (perhaps explained on another article).

• Extract “EventLogs.ADMX” within the “PolicyDefinitions”-Folder (ie. were your other Administrative Templates are located).
• Extract “en-US\EventLogs.ADML” into your Administrative Templates language folder (you should already have a pre-existing Administrative Templates language folder).

Now:

1. Fire up gpmc.msc.
2. Create and target a new Group Policy (say, to your DCs OU).
3. Customise your Active Directory, DFS Replication, DNS Server, File Replication Service Forwarded Events, Hardware Events & Windows Powershell Event Log sizes!

 

You’ll find the new templates at:

• “Computer Configuration”.

• “Policies”.

• “Administrative Templates”.

• “System” (the 1st entry).

• “Event Log”.

Select, for example, Active Directory, to customise the “Directory Service” Event Log size and/or retention Options.

Please Note: the Group Policy icons have a “down arrow” because GPMC doesn’t expect "Policies” which create/update "Registry entries" to be located under the “Policies”-Section (ie. they should’ve been located under “Preferences”).

The previous note has only “aesthetical” consequence - the policies work perfectly fine and should be safe to use.

But don’t just take my word for that – feel free to open, modify, contribute, improve, extend & (that’s a must!) share my EventLogs ADMX/ADML Templates!

Building on giants’ shoulders.

I originally obtained an ADM template to customise the Event Logs Size from the thegpoguy.com website (http://gpoguy.com/free-tools/free-tools-library/ad-dns-frs-dfs-rforwarded-events-hardware-events-event-log-settings-adm-template/).

Then I converted the ADM template to the new XML-based ADMX/ADML format (with the Full Armor software).

After the conversion, I manually added the Windows PowerShell Event Logs & adjusted some values I noticed were not working for Windows 2012/R2.

After testing the templates on my Windows Server 2012-domain (now upgraded to 2012 R2), I thought to release them in the open, in the hopes that anyone can modify/improve them (I have not much time left ATM, they’re just “good enough” for me!).

 

2. Homebrew your own regkeys then push them through Group Policy “Registry” Preferences.

In case you have no time to contribute to the ADMX/ADML Policies, you may just customise the related RegKeys located on the Windows Registry.

Open regedit and goto:

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service.

 

 

To push Registry changes, you may use Group Policy Preferences (GPPs).

For example, open gpmc.msc and browse to Computer -> Prefs -> Windows Settings -> Registry (as follows):

• You may now create new GPPs by Right Clicking then New -> Registry Item.

 

New Registry Item Properties window:

• Change the MaxSize REG_DWORD to a decimal value (in bytes) of your liking.

 

Once you link the GPPs to the OUs (such as to your Domain Controllers), you may now shrink or enlarge your Event Logs.

 

• Another way you may wish to go about it is to convert your RegKeys into ADMX/ADML GP Templates!): http://gallery.technet.microsoft.com/scriptcenter/8c703a2e-4685-4093-a1fc-dec107c53d13

 

[BONUS TIP No.1]: Set Event Viewer options via the Command Line.

Run (on an Admin CMD):

wevtutil sl -?

The above command lists all the options available that allow you to edit your Event Viewer settings via the command line (especially useful when scripting stuff I guess).

Full wevutilcommand screenshot and output below:

Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved
C:\WINDOWS\system32>wevtutil sl -?
Modify the configuration of a log.
Usage:
wevtutil { sl | set-log } [/OPTION:VALUE [/OPTION:VALUE] ...] String that uniquely identifies a log. If option /c is specified,
should not be specified since it is read from the config file.
Options:
You can use either the short (for example, /e) or long (for example, /enable)
version of the option names. Options and their values are not case-sensitive.
/{e | enabled}:[true|false] Enable or disable a log.
/{q | quiet}:[true|false] Quiet display option. No prompts or messages are displayed to the user. If not
specified, the default is true.
/{fm | filemax}:
Set Maximum number of enablements across which to preserve events, where is
an integer between 1 and 16. One file is created for each enablement, so if this
value is 2, events will be produced from the last two enablements. A reboot
counts as disabling and then re-enabling the channel.
/{i | isolation}:[system|application|custom] Log isolation mode. The isolation mode of a log determines whether a log shares
a session with other logs in the same isolation class. If you specify system
isolation, the target log will share at least write permissions with the System
log. If you specify application isolation, the target log will share at least
write permissions with the Application log. If you specify custom isolation, you
must also provide a security descriptor by using the /ca option.
/{lfn | logfilename}:VALUE
Log file name. VALUE is the full path to the file where the Event Log service
stores events for this log.
/{rt | retention}:[true|false] Log retention mode. The log retention mode determines the behavior of the Event
Log service when a log reaches its maximum size. If an event log reaches its
maximum size and the log retention mode is true, existing events are retained and
incoming events are discarded. If the log retention mode is false, incoming
events overwrite the oldest events in the log.
/{ab | autobackup}:[true|false] Log autobackup policy. If autobackup is true, the log will be backed up
automatically when it reaches the maximum size. In addition, if autobackup is
true, retention (specified with the /rt option) must be set to true.
/{ms | maxsize}:
Maximum size of log, where is the number of bytes. Note that the minimum
value for is 1048576 (1024KB) and log files are always multiples of 64KB, so
the specified value will be rounded accordingly.
/{l | level}:
Level filter of log, where is any valid level value. Only applicable to logs
with a dedicated session. You can remove a level filter by setting to 0.
/{k | keywords}:VALUE
Keywords filter of log. VALUE can be any valid 64 bit keyword mask. Only
applicable to logs with a dedicated session.
/{ca | channelaccess}:VALUE
Access permission for an event log. VALUE is a security descriptor specified
using the Security Descriptor Definition Language (SDDL). Search MSDN
(http://msdn.microsoft.com) for information about SDDL format.
/{c | config}:VALUE
Path to the config file, where VALUE is the full file path. If specified, log
properties will be read from this config file. If this option is specified, you
must not specify the command line parameter. The log name will be read
from the config file.
Example:
The following example sets retention, autobackup and maximum log size on the
Application log by using a config file. Note that the config file is an XML file
with the same format as the output of wevtutil gl /f:xml.
C:\config.xml
<?xml version="1.0" encoding="UTF-8"?>
<channel name="Application" isolation="Application"
xmlns="http://schemas.microsoft.com/win/2004/08/events">
<logging>
<retention>true</retention>
<autoBackup>true</autoBackup>
<maxSize>9000000</maxSize>
</logging>
<publishing>
</publishing>
</channel>
wevtutil sl /c:config.xml
wevutil sl -?command Output.

 

[BONUS TIP No.2]: Set Event Viewer options via PowerShell.

To set your Event Viewer Logs size on PowerShell As Admin:

Limit-EventLog -LogName System -MaximumSize 8MB

 

Full Command Output:

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
[amatesi@AMX6] C:\WINDOWS\system32->Limit-EventLog -?
NAME
Limit-EventLog
SYNOPSIS
Sets the event log properties that limit the size of the event log and the age of its entries.
SYNTAX
Limit-EventLog [-LogName] <String[]> [-ComputerName <String[]>] [-InformationAction {SilentlyContinue | Stop |
Continue | Inquire | Ignore | Suspend}] [-InformationVariable <System.String]>] [-MaximumSize <Int64>] [-OverflowAction {OverwriteAsNeeded | OverwriteOlder | DoNotOverwrite}] [-RetentionDays <Int32>] [-Confirm] [-WhatIf] [<CommonParameters>] DESCRIPTION
The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and
what happens when the log reaches its maximum size. You can use it to limit the event logs on local or remote
computers.
The cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get events
from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use
Get-WinEvent.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/p/?linkid=290509
Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog
REMARKS
To see the examples, type: "get-help Limit-EventLog -examples".
For more information, type: "get-help Limit-EventLog -detailed".
For technical information, type: "get-help Limit-EventLog -full".
For online help, type: "get-help Limit-EventLog -online"

SRC:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/81b4a3d1-49cd-4987-9b12-d939f6117572/default-value-of-set-maximum-log-size

http://technet.microsoft.com/en-us/library/cc748849.aspx