locked
Retaining Event Viewer logs for 90 days RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    I would like to find out if there is a way to retain Event Viewer logs for a period of 90 days? Is there a way to do this via a GPO setting? Or even a registry tweak?

    This is for troubleshoot and analysis purposes. I'm running on Vista Enterprise (SP1).

    Please ask if more information is needed
    Thursday, February 19, 2009 3:27 AM

Answers

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote
    Hi Giggster,

    see if these articles of my colleague Daniel Petri help:
    http://www.petri.co.il/event_logs_archiving_with_gpo.htm
    http://www.petri.co.il/vista-event-viewer.htm


    [If this post helps to resolve your issue, click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~ My Blog: http://blogs.dotnethell.it/vincent/
    Thursday, February 19, 2009 6:53 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for the solution but I have decided to extend the log size limit instead. I want to do this via ADM file which will be upload to the GPO.

    Something is wrong with my code, because the value is not changing in the registry. Could someone please change or advise me on what to change in the code to make this work for all the event viewer log sizes?


    ADM code:

    CLASS MACHINE

    CATEGORY !!CategoryName

     POLICY !!L_ApplicationLog
      
      KEYNAME "SYSTEM\CurrentControlSet\Services\Eventlog\Application"
       
       PART !!L_App
        VALUENAME MaxSize
        VALUEON NUMERIC 6000000
        VALUEOFF NUMERIC 2097152
       END PART   
     
      EXPLAIN !!L_ApplicationExplain
     
     END POLICY

     
     POLICY !!L_SecurityLog
      
      KEYNAME "SYSTEM\CurrentControlSet\Services\Eventlog\Security"
       
       PART !!L_Sec
        VALUENAME MaxSize
        VALUEON NUMERIC 12000000
        VALUEOFF NUMERIC 5242880
       END PART

      EXPLAIN !!L_SecurityExplain
     
     END POLICY
     

     POLICY !!L_SystemLog
      
      KEYNAME "SYSTEM\CurrentControlSet\Services\Eventlog\System"
       
       PART !!L_sys
        VALUENAME MaxSize
        VALUEON NUMERIC 6000000
        VALUEOFF NUMERIC 2097152
       END PART   
     
      EXPLAIN !!L_SystemExplain
     
     END POLICY

    END CATEGORY

    ;+++++++++++++++++++++++++++++++End User Class+++++++++++++++++++++++++++++++++++++++++++++
    ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


    [Strings]
    CategoryName="Event Viewer Log Size"
    L_ApplicationLog = "Event Viewer Application log size"
    L_ApplicationExplain ="Sets the default application log size for GIDv1 machine to 6 megabytes"
    L_SecurityLog = "Event Viewer Security log size"
    L_SecurityExplain ="Sets the default security log size for GIDv1 machine to 12 megabytes"
    L_SystemLog = "Event Viewer System log size"
    L_SystemExplain ="Sets the default system log size for GIDv1 machine to 6 megabytes"
    L_App = "Maximum Size of Log: "
    L_Sec = "Maximum Size of Log: "
    L_Sys = "Maximum Size of Log: "

    Saturday, March 14, 2009 5:01 AM