locked
Where does Windows Server 2008 store archived event logs? RRS feed

  • Question

  • I'm attempting to use the "Archive the log when full; do not overwrite events" option for an Event Log that fills up quickly. Before I tried that option, I had saved the log manually, and discovered where Windows put the saved log. However, after implementing the automatic option, I can't find the automatically archived logs. They're not with the manually saved logs, and they're not in the LocaleMetaData folder either.

    Any idea where the system might have put them?
    Wednesday, August 5, 2009 10:50 PM

Answers

  • Hello OldTechGuy,

    Windows Server 2008 logs are configured to overwrite old events as needed by default. So, when the log reaches its maximum size, the operating system overwrites old events with new events. If desired, we can have Windows automatically archive logs. In this configuration, when the maximum file size is reached, Windows archives the events by saving a copy of the current log in the default directory. Windows then creates a new log for storing current event.

    For your reference, I have list some of the Event log service names, their default directory for save the event logs, and the maximum event log file size.

    Windows Logs

    Application            %SystemRoot%\System32\Winevt\Logs\Application.evtx     20480 MB
    Forwarded Events  %SystemRoot%\System32\Confi g\FordwardedEvents.evtx 20480 MB
    Security                %SystemRoot%\System32\Winevt\Logs\Security.evtx  1     31072 MB/20480 MB 

    Note: The default maximum log size is 131072 MB on domain controllers and 20480 MB on member servers.
              
    Setup                    %SystemRoot%\System32\Winevt\Logs\Setup.evtx            1028 MB

    Application and Services logs

    DFS Replication      %SystemRoot%\System32\Winevt\Logs\DfsReplication.evtx 15168 MB
    DNS Server           %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx     16384 MB
    Hardware Events    %SystemRoot%\System32\Confi g\HardwareEvents.evtx      20480 MB

    Hope this can be helpful.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by David Shen Thursday, August 6, 2009 3:58 AM
    • Marked as answer by OldTechGuy Thursday, August 6, 2009 8:20 PM
    Thursday, August 6, 2009 3:58 AM

All replies

  • Hello OldTechGuy,

    Windows Server 2008 logs are configured to overwrite old events as needed by default. So, when the log reaches its maximum size, the operating system overwrites old events with new events. If desired, we can have Windows automatically archive logs. In this configuration, when the maximum file size is reached, Windows archives the events by saving a copy of the current log in the default directory. Windows then creates a new log for storing current event.

    For your reference, I have list some of the Event log service names, their default directory for save the event logs, and the maximum event log file size.

    Windows Logs

    Application            %SystemRoot%\System32\Winevt\Logs\Application.evtx     20480 MB
    Forwarded Events  %SystemRoot%\System32\Confi g\FordwardedEvents.evtx 20480 MB
    Security                %SystemRoot%\System32\Winevt\Logs\Security.evtx  1     31072 MB/20480 MB 

    Note: The default maximum log size is 131072 MB on domain controllers and 20480 MB on member servers.
              
    Setup                    %SystemRoot%\System32\Winevt\Logs\Setup.evtx            1028 MB

    Application and Services logs

    DFS Replication      %SystemRoot%\System32\Winevt\Logs\DfsReplication.evtx 15168 MB
    DNS Server           %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx     16384 MB
    Hardware Events    %SystemRoot%\System32\Confi g\HardwareEvents.evtx      20480 MB

    Hope this can be helpful.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by David Shen Thursday, August 6, 2009 3:58 AM
    • Marked as answer by OldTechGuy Thursday, August 6, 2009 8:20 PM
    Thursday, August 6, 2009 3:58 AM
  • Thanks! Exactly what I needed to know.

    Suggestion: This information would be extremely helpful if placed in the Help files.
    Thursday, August 6, 2009 8:21 PM
  • Is it possible to change these paths to unc paths?
    Thursday, April 28, 2011 9:00 PM
  • Is it possible to change these paths to unc paths?  never got an answer...good question...

    Friday, June 22, 2012 12:33 PM
  • i am waiting for this response too...who suggests.....?

    Tuesday, January 22, 2013 6:56 PM
  • I tried to change this path to unc, it worked for me.
    Thursday, June 20, 2013 6:08 AM
  • Hello OldTechGuy,

    Windows Server 2008 logs are configured to overwrite old events as needed by default. So, when the log reaches its maximum size, the operating system overwrites old events with new events. If desired, we can have Windows automatically archive logs. In this configuration, when the maximum file size is reached, Windows archives the events by saving a copy of the current log in the default directory. Windows then creates a new log for storing current event.

    For your reference, I have list some of the Event log service names, their default directory for save the event logs, and the maximum event log file size.

    Windows Logs

    Application            %SystemRoot%\System32\Winevt\Logs\Application.evtx     20480 MB
    Forwarded Events  %SystemRoot%\System32\Confi g\FordwardedEvents.evtx 20480 MB
    Security                %SystemRoot%\System32\Winevt\Logs\Security.evtx  1     31072 MB/20480 MB 

    Note: The default maximum log size is 131072 MB on domain controllers and 20480 MB on member servers.
              
    Setup                    %SystemRoot%\System32\Winevt\Logs\Setup.evtx            1028 MB

    Application and Services logs

    DFS Replication      %SystemRoot%\System32\Winevt\Logs\DfsReplication.evtx 15168 MB
    DNS Server           %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx     16384 MB
    Hardware Events    %SystemRoot%\System32\Confi g\HardwareEvents.evtx      20480 MB

    Hope this can be helpful.


    This posting is provided "AS IS" with no warranties, and confers no rigTts.

    This is very helpfull -Thanks
    Friday, December 20, 2013 5:21 AM
  • How do you change these paths?

    And is it possible to make a GPO with these parameters so they are enforced everywhere?


    CarolChi

    Thursday, April 24, 2014 2:22 PM