Server 2008 GPO for Event Log Retention
Server 2008 domain controller. I'm attempting to set a GPO so that the DC's event logs grow to a set size then overwrite the oldest. i did successfully set the maximum size, but can't seem to change the retention method from Archive to overwrite oldest events. Can this be dome via GPO? It seems that something is controlling this because if I manually set it, it doesn't stick. Thanks to all who reply.
August 29th, 2012 8:42am
Server 2008 domain controller. I'm attempting to set a GPO so that the DC's event logs grow to a set size then overwrite the oldest. i did successfully set the maximum size, but can't seem to change the retention method from Archive to overwrite oldest events. Can this be dome via GPO? It seems that something is controlling this because if I manually set it, it doesn't stick. Thanks to all who reply. You could always run a Resultant Set of Policy on the local server to see exactly what policies transpire on the server. As to your question whether or not... The answer is yes. Computer Configuration > Administrative Templates > Windows Components > Event Log Service > Application/Security/Setup/System Log File PathMaximum Log SizeBackup Log Automatically Created When FullLog AccessRetain Old Events Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator Microsoft® Community Contributor Award 2011 All opinions expressed on my own behalf and not that of my company. This posting is "as is" without warranties and confers no rights.
August 29th, 2012 10:01am
I did go to Computer Configuration, Administrative Templates, Windows Components, Event Log Service, Security, Retain old events, and set to disabled which should make it overwrite, but when i look at log properties, it seems stuck on Archive. I ran a GPresult /SCOPE "COMPUTER" and see the following: Event Log Settings ------------------ GPO: Default Domain Controllers Policy Policy: MaximumLogSize Computer Setting: 500032 Log Name: Security GPO: Default Domain Policy Policy: RetentionDays Computer Setting: 0 Log Name: Application GPO: Default Domain Policy Policy: MaximumLogSize Computer Setting: 51200 Log Name: Application GPO: Default Domain Controllers Policy Policy: RetentionDays Computer Setting: 7 Log Name: Security Does the last setting of 7 days insure that it overwrites old log entries? It did not seem to report on the specific retention method. Thanks for your post.
August 29th, 2012 10:05am
Hi, Retain old events is new policy introduced in Windows Server 2008. In previous OS (Windows Server 2003), we use different reporting infrastructure policy: Retain event log: This policy setting determines the number of days of event log data to retain for the Application, Security, and System logs if the retention method that is specified for the log is By Days. You should only configure this setting if you archive the log at scheduled intervals and you ensure that the maximum log size is large enough to accommodate the interval. Seems in Windows Server 2008 or later OS, new policy Retain old events is set 7 retain days in background for logs. In Windows Server 2008, Retain old events and Back up log automatically when full are related. With the Retain old events policy setting enabled, the Event Logging service will stop writing new events to the event log when the log file reaches or exceeds the maximum value and you will loose all new events. With this policy setting disabled, new events will overwrite old events. When you enabling the Back up log automatically when full and the Retain old events policy settings, the Event Log service will close the current event log, rename it, and then create a new log. The Back up log automatically when full policy setting works only when you enable Retain old events policy setting. For more information please refer to following MS articles: Event Log http://technet.microsoft.com/en-us/library/cc722385(v=WS.10).aspx Event Logging policy settings in Windows Server 2008 and Vista http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspxLawrence TechNet Community Support
August 30th, 2012 6:09am