Hi Michael,
>>The best solution would be to make the settings for the forwarded events in
the Console.
There is no default group policy setting to do this.
Here, although I am not sure if the following workaround can work, I just want to share the information with you.
The registry key for Forwarded Events should be:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents
under the registry key, there is a value called Retention with REG_DWORD type, which should control the retention setting of ForwardedEvents. Here, if we want to set to value to 30 days, the value data should be ox0076a700. We can test this on a test machine.
If this workaround works, we can deploy the registry key via Group Policy Preferences Registry extension.
Important and Caution: Back it up before we modify the registry, because serious problems might occur if we modify the registry incorrectly.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.