Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / Configuring Event Viewer Log Size on Windows

September 21, 2024

Configuring Event Viewer Log Size on Windows

Windows Event Viewer Logs store useful information that is needed when analyzing the status of services and applications in Windows, troubleshooting errors, and auditing security events. By default, the sizes of the Event Viewer logs in Windows are limited and when the file sizes are exceeded, new events begin to overwrite older ones. If too many events are sent to the Event Viewer, only the last few hours of events may be logged, which may not be sufficient for efficient monitoring and log analysis.

To prevent old events from being overwritten, and to ensure that you always have events for a long enough period, you can increase the maximum size of Event Viewer logs.

Contents:
  • How to Set Windows Event Log Size with PowerShell?
  • Adjusting the Event Log File Size from the Event Viewer Console
  • Increase the Size of Windows Event Log Files Using GPO

How to Set Windows Event Log Size with PowerShell?

Windows event log files are stored in the %SystemRoot%\System32\Winevt\Logs\ directory as .EVTX files. Note that there is a separate file for each log. So you can manage the maximum size of only the Windows log you need and leave the default settings for others.

WinEvt log files with EVTX extension

You can use PowerShell to view the current limits for all enabled Event Viewer Logs on Windows:

Get-Eventlog -List

PowerShell Get-Eventlog : list event logs

You can use the Get-WinEvent cmdlet to get the size of a specific event log file. For example, here’s how you can get the current and maximum size of the Security log file:

Get-WinEvent -ListLog Security| Select MaximumSizeInBytes, FileSize, IsLogFull, OldestRecordNumber, IsEnabled, LogMode

Get-WinEvent - view MaximumSizeInBytes and FileSize

You can use PowerShell to get the total size of the folder that contains the event log files:
"{0:N2} MB" -f ((gci c:\windows\System32\Winevt\Logs\| measure Length -s).sum / 1Mb)

To increase the maximum size of the log, you can use the wevtutul command line tool (the new size is set in bytes):

wevtutil sl "Application" /ms:200000000

Or you can use PowerShell to set a new maximum Application log file size:

Limit-Eventlog -Logname Application -MaximumSize 200MB -OverflowAction OverwriteOlder

Adjusting the Event Log File Size from the Event Viewer Console

The easiest way to increase the maximum log size is directly from the Event Viewer console.

  1. Open the Event Viewer MMC snap-in (eventvwr.msc);
  2. Select the required log (for example, Security) and open its properties;
  3. Set a new limit under Maximum log size (KB) and save the changes; How to increase maximum event log size from Event Viewer console?
  4. You can also select the action to be taken when the maximum log file size is reached: Overwrite events as needed (oldest events first). This mode is used by default and implies that new events simply overwrite older events.
    Archive the log when full, do not overwrite events – the current event log is archived in the \System32\Winevt\Logs\ folder when full, and new events are written to a new EVTX file. You can access the archived event files through the Open Saved Log menu in the Event Viewer.
    Do not overwrite events (Clear log manually) – enable this option to protect your old events from being overwritten. Note that the log must be cleared manually to write new events.

Increase the Size of Windows Event Log Files Using GPO

You can use Group Policies to centrally manage the size of event log files on computers or servers in an Active Directory domain.

  1. Run the Group Policy Management snap-in (gpmc.msc), create a new GPO, and link it to the Organizational Units with the computers or servers you want to change the Event Viewer settings for (you may also link the GPO to the domain root);
  2. Navigate to the following GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Event Log Service. This directory contains nodes for managing the basic Windows logs:
    Application
    Security
    Setup
    System
  3.  To increase the maximum size of the log, select the Specify the maximum log file size (KB) option, enable it, and set the required sizeGPO: Specify the maximum log file size ;
  4. Update the Group Policy settings on the clients and check that the new maximum log file is now specified in the log properties and that you cannot change it. If you try to set a different size, an error will appear:
    Event Viewer The Maximum Log Size specified is not valid. It is too large or too small

    Event Viewer
    The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 61440 KB
Increasing the maximum Security log size on Active Directory domain controllers allows you to:

  • Store a user’s domain login history and view successful/failed logon attempts to a specific Windows host;
  • Find the source of user account lockout in AD;
  • Identify who created a user in AD, reset the user’s password, or change the membership of a specific security group.

The GPO section described above doesn’t contain options for other Event Logs from Applications and Services Logs -> Microsoft. If you need to increase the size of another event log (other than the standard one), you can do it through the registry. Windows event log settings are stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log_name> registry key. The maximum log file size is determined by the MaxSize parameter (REG_DWORD type). You can configure the registry value of the MaxSize parameter for a custom event log on domain computers by using Group Policy Preferences.

Learn how to use GPO to configure registry keys and settings.

In this example, we are going to increase the size of the Directory Service log on the domain controllers. This log’s settings are stored in the following registry key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service.

Change the Event Viewer max file size via registry

  1. Open GPO and go to Computer Configuration -> Preferences -> Windows Settings -> Registry;
  2. Select New -> Registry Item;
  3. Create a new registry parameter with the following settings:
    Hive: HKEY_LOCAL_MACHINE
    Key path: SYSTEM\CurrentControlSet\Services\EventLog\Directory Service
    Value name: MaxSize
    Value type: REG_DWORD
    Value data: 52428800 (the maximum file size is given in bytes. In our example it is 50 MB.)

    Increase Event Viewer Log Size via Group Policy Preferences

  • Check that the maximum log size is after updating the GPO on the DCs. Check event viewer new size in Windows
For example, if you want to store logs with a history of Remote Desktop connections to an RDS host for a long period, you need to increase the size of the Terminal-Services-RemoteConnectionManager log.

By increasing the size of Windows event logs, you can get more information over a longer time. For example, you can use event logs to get the Windows reboot history, find out who deleted a file from a shared network folder, or changed NTFS permissions.

4 comments
5
Facebook Twitter Google + Pinterest
Group PoliciesPowerShellWindows 10Windows Server 2019
previous post
How to Detect Who Changed the File/Folder NTFS Permissions on Windows
next post
Microsoft Key Management Service (KMS) Volume Activation FAQs

Related Reading

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

How to Delete Old User Profiles in Windows

March 15, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

How to Allow Non-Admin User to Start/Stop Service...

March 15, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

4 comments

David March 26, 2024 - 6:51 pm

Hello,

The MaxSize registry key for a lot (maybe all) of the Microsoft logs under ‘Applications and Services Logs’ are stored under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
(not as is written in this article under HKLM\SYSTEM\CurrentControlSet\Services\EventLog)

Thanks https://joymalya.com/increase-maxsize-of-windows-event-log-file-with-intune/#:~:text=To%20change%20the%20max%20file%20size%20capping%20limit%20of%20other%20event%20logs%20like%20those%20under%20Applications%20and%20Services%20Logs%20%E2%86%92%20Microsoft%20within%20Event%20Viewer%2C%20there%20are%20no%20equivalent%20GPO%20settings%2C%20and%20as%20such%2C%20no%20equivalent%20MDM%20settings%20as%20well.

Reply
Gavin September 17, 2024 - 4:31 am

I stopped using the Windows Event Log because it records too much information, making it difficult to generate meaningful reports. I only want to track specific user activities, such as opening, saving, printing, and especially deleting and copying files. Currently, I’m using a freeware tool called Curtain LogTrace, but I believe there are many other free alternatives available.

Reply
Robot1me September 17, 2024 - 6:29 am

Hi, there is a small error in this post. The value for “wevtutil sl “Application” /ms:200000″ is in bytes, not kilobytes. You can verify this with the aforementioned “Get-Eventlog -List” command.

Reply
admin September 21, 2024 - 8:12 am

Fixed, thanks!

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • Fix: Remote Desktop Licensing Mode is not Configured
  • Configure Google Chrome Settings with Group Policy
  • How to Delete Old User Profiles in Windows
  • Allow Non-admin Users RDP Access to Windows Server
  • Configuring FSLogix Profile Containers on Windows Server RDS
  • How to Backup and Copy Local Group Policy Settings to Another Computer
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top