Windows Event Viewer Logs store useful information that is needed when analyzing the status of services and applications in Windows, troubleshooting errors, and auditing security events. By default, the sizes of the Event Viewer logs in Windows are limited and when the file sizes are exceeded, new events begin to overwrite older ones. If too many events are sent to the Event Viewer, only the last few hours of events may be logged, which may not be sufficient for efficient monitoring and log analysis.
To prevent old events from being overwritten, and to ensure that you always have events for a long enough period, you can increase the maximum size of Event Viewer logs.
How to Set Windows Event Log Size with PowerShell?
Windows event log files are stored in the %SystemRoot%\System32\Winevt\Logs\
directory as .EVTX files. Note that there is a separate file for each log. So you can manage the maximum size of only the Windows log you need and leave the default settings for others.
You can use PowerShell to view the current limits for all enabled Event Viewer Logs on Windows:
Get-Eventlog -List
You can use the Get-WinEvent cmdlet to get the size of a specific event log file. For example, here’s how you can get the current and maximum size of the Security log file:
Get-WinEvent -ListLog Security| Select MaximumSizeInBytes, FileSize, IsLogFull, OldestRecordNumber, IsEnabled, LogMode
"{0:N2} MB" -f ((gci c:\windows\System32\Winevt\Logs\| measure Length -s).sum / 1Mb)
To increase the maximum size of the log, you can use the wevtutul
command line tool (the new size is set in bytes):
wevtutil sl "Application" /ms:200000000
Or you can use PowerShell to set a new maximum Application log file size:
Limit-Eventlog -Logname Application -MaximumSize 200MB -OverflowAction OverwriteOlder
Adjusting the Event Log File Size from the Event Viewer Console
The easiest way to increase the maximum log size is directly from the Event Viewer console.
- Open the Event Viewer MMC snap-in (
eventvwr.msc
); - Select the required log (for example, Security) and open its properties;
- Set a new limit under Maximum log size (KB) and save the changes;
- You can also select the action to be taken when the maximum log file size is reached: Overwrite events as needed (oldest events first). This mode is used by default and implies that new events simply overwrite older events.
Archive the log when full, do not overwrite events – the current event log is archived in the\System32\Winevt\Logs\
folder when full, and new events are written to a new EVTX file. You can access the archived event files through the Open Saved Log menu in the Event Viewer.
Do not overwrite events (Clear log manually) – enable this option to protect your old events from being overwritten. Note that the log must be cleared manually to write new events.
Increase the Size of Windows Event Log Files Using GPO
You can use Group Policies to centrally manage the size of event log files on computers or servers in an Active Directory domain.
- Run the Group Policy Management snap-in (
gpmc.msc
), create a new GPO, and link it to the Organizational Units with the computers or servers you want to change the Event Viewer settings for (you may also link the GPO to the domain root); - Navigate to the following GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Event Log Service. This directory contains nodes for managing the basic Windows logs:
Application Security Setup System
- To increase the maximum size of the log, select the Specify the maximum log file size (KB) option, enable it, and set the required size;
- Update the Group Policy settings on the clients and check that the new maximum log file is now specified in the log properties and that you cannot change it. If you try to set a different size, an error will appear:
Event Viewer The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 61440 KB
- Store a user’s domain login history and view successful/failed logon attempts to a specific Windows host;
- Find the source of user account lockout in AD;
- Identify who created a user in AD, reset the user’s password, or change the membership of a specific security group.
The GPO section described above doesn’t contain options for other Event Logs from Applications and Services Logs -> Microsoft. If you need to increase the size of another event log (other than the standard one), you can do it through the registry. Windows event log settings are stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log_name> registry key. The maximum log file size is determined by the MaxSize parameter (REG_DWORD type). You can configure the registry value of the MaxSize parameter for a custom event log on domain computers by using Group Policy Preferences.
In this example, we are going to increase the size of the Directory Service log on the domain controllers. This log’s settings are stored in the following registry key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service.
- Open GPO and go to Computer Configuration -> Preferences -> Windows Settings -> Registry;
- Select New -> Registry Item;
- Create a new registry parameter with the following settings:
Hive: HKEY_LOCAL_MACHINE Key path: SYSTEM\CurrentControlSet\Services\EventLog\Directory Service Value name: MaxSize Value type: REG_DWORD Value data: 52428800 (the maximum file size is given in bytes. In our example it is 50 MB.)
- Check that the maximum log size is after updating the GPO on the DCs.
By increasing the size of Windows event logs, you can get more information over a longer time. For example, you can use event logs to get the Windows reboot history, find out who deleted a file from a shared network folder, or changed NTFS permissions.
4 comments
Hello,
The MaxSize registry key for a lot (maybe all) of the Microsoft logs under ‘Applications and Services Logs’ are stored under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
(not as is written in this article under HKLM\SYSTEM\CurrentControlSet\Services\EventLog)
Thanks https://joymalya.com/increase-maxsize-of-windows-event-log-file-with-intune/#:~:text=To%20change%20the%20max%20file%20size%20capping%20limit%20of%20other%20event%20logs%20like%20those%20under%20Applications%20and%20Services%20Logs%20%E2%86%92%20Microsoft%20within%20Event%20Viewer%2C%20there%20are%20no%20equivalent%20GPO%20settings%2C%20and%20as%20such%2C%20no%20equivalent%20MDM%20settings%20as%20well.
I stopped using the Windows Event Log because it records too much information, making it difficult to generate meaningful reports. I only want to track specific user activities, such as opening, saving, printing, and especially deleting and copying files. Currently, I’m using a freeware tool called Curtain LogTrace, but I believe there are many other free alternatives available.
Hi, there is a small error in this post. The value for “wevtutil sl “Application” /ms:200000″ is in bytes, not kilobytes. You can verify this with the aforementioned “Get-Eventlog -List” command.
Fixed, thanks!