none
Security Event logs wont allow me to change size in event viewer - GPO's show other max size then Event viewer does

    Question

  • I have several different servers (2008 R2 Standard) that in event viewer.. the Security log shows to have a max size of 61440000 kb. It will not allow me to change that to a smaller size. I get the following error message when I try to change it:

    The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 61440000 KB

    I have checked all applicable GPO's on my domain, and all are set to max log sizes of either 1, 2 or 4 gb. I have checked registry settings on the affected servers (HKLM/System/CurrentControlSet/services/eventlog/Security)

    I have tried to find a solution in Technet, and just searching the 'net... but without success.

    How would I reset the logs sizes to the default values? Is there a setting somethere that overrides all other settings for log sizes, and if so.. where is it?

    Thanks in advance for any assistance you can provide.....

    Wednesday, January 30, 2013 2:03 PM

All replies

  • Im running into this as well on Win7 64 bit.  The values are not as high, but they are still locked and wont allow me to change them.   I was able to modify the registry, not sure if it did anything, i also dont know if thats bytes or KB.     

    I tried doing it in the command line with "wevtutil sl Security /ms:1048576" and still nothing.

    In addition to all of this, event viewer always crashes when i right click an item.  The only time it doesn't crash on a right click is when i'm selecting it from the side menu. Very annoying.

    Friday, February 01, 2013 12:36 AM
  • Hi,

    >>I have checked all applicable GPO's on my domain, and all are set to max log sizes of either 1, 2 or 4 gb. 


    Why did you need to set maximum log size value in multiple GPOs? Just configure it in one GPO which applied to the server.

    If you specify this value through group policy, you'd better edit GPO settings to reset the value.

    Log file sizes must be a multiple of 64 KB and 4GB is a maximum size.

    Reference: http://technet.microsoft.com/en-us/library/cc776342(v=WS.10).aspx

    Regards,
    Cicely

    Friday, February 01, 2013 9:04 AM
    Moderator
  • I would be happy to send you a screen shot of what the Event viewer properties shows for max log size, if you would like. As far as why various GPO's are set that way.. ask the person I inherited this problem from, he is no longer here. 

    The link you supplied... is readily available to anyone that knows how to use google or search Microsoft / Technet. It does not help!

    The issue of a 60 GB max log size is on every server in the network... so it appears to be coming from GPO! But if so, I can't locate where in the Server GPO to correct this.... as it is not the standard log size settings. Any Help would be appreciated.

    Wednesday, February 06, 2013 8:11 PM
  • I tried the WevUtil also.. no luck! I will keep searching.. and will update here if I find anyting. May have to put in a support call to MS...
    Wednesday, February 06, 2013 8:13 PM
  • Have you had any luck resolving this?
    Friday, May 10, 2013 4:46 PM
  • It sucks that there is no answer to this after all this time. It is also a bit annoying that the moderator marked their answer as "the answer".

    The problem has to be related to the registry somehow and/or permissions, but without setting up file system and registry monitoring, there is no real way to determine why the setting cannot be changed. In my case, I originally set up domain controllers based on a baseline non-member server image where I used the LocalGPO tool to apply some default policy settings, and some of those seem to permanently tatooed. For example, I have a firewall rule setting that was ONLY over-ridden by creating a GPO and setting it to be enforced. However, for the Windows Security Event Log size, which *used* to be larger on a couple of special domain controllers, it's now locked at 1GB everywhere (on every DC in the domain). The GPO doesn't matter, though I set it to 4GB. On our DC's, that means that security events only span about 12 hours.

    I'm still searching for an answer, or even a direction to go, so I hope that someone who has anything helpful runs across this thread and can provide an update.

    -- Rob "I" --

    • Proposed as answer by TxMethodMan Monday, July 20, 2015 4:33 PM
    • Unproposed as answer by TxMethodMan Monday, July 20, 2015 4:33 PM
    Thursday, February 26, 2015 6:00 AM
  • I had the same issue... apparently there are 2 places in the GPO to define max size.... Security Settings/Event Viewer...  and Administrative Templates/Windows Components/Event Log Service.  That later seems to be the dominant setting.
    Monday, July 20, 2015 4:37 PM