I am using Group Policy to control our event logs. I have enabled "backup log automatically when full" and "retain old events". When the Security log gets full, it renames it as "Archive-Security-YYYY-MM-DD-XX-XX-XXX.evtx. So far so good. The problem is that the Archive log doesn't seem to have all of the events like the "current" log. See below.
Archive Security Log
Notice that the current log has many different type of events and the achive log only has 4656 events (except for the entry where the event log is created and where the event log is full). Having a security log with missing information is not useful. Any suggestions to make sure the current log is converted to an archive log with no lost data? Am I looking at the wrong log?
Thanks for posting in Microsoft TechNet forums.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
The policy "backup log automatically when full" only backup event log which it is full, it will not backup the current log.
For more information , see below:
Hope this helpful.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Proposed as answer by _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-Microsoft contingent staff Thursday, August 01, 2013 2:01 PM
That is not the problem. When the current log is full, it correctly creates the backup log. Lets call the current log, security.evtx. When log security.evt gets full it correctly renames the file Archive-Security-YYYY-MM-DD-XX-XX-XXX.evtx. The problem is that the file named Archive-Security-YYYY-MM-DD-XX-XX-XXX.evtx does not have all of the same information that it had when it was called security.evtx. See the examples above for details. What is the problem?