How do Event Logs handle size and record retention

[gmail2]

I'm curious as to how exactly the event logs handle maximum size and how long to retain records for. Just looking at the application log on one of our servers, the size at the moment is 26MB. The log settings say maximum size is 515KB, and overwrite events older than 7 days. I can understand why it might go over 512KB if more than that is generated in seven days. But the logs go back to October 11th. So what gives? Why do they go back that far, and why did it suddenly decide to cut them off at October 11th ? Also, shouldn't it say that the application log is full when I log in? this is currently happening on one of our servers (security log) - this is obeying the "stick to 512BK" rule, even though it generates more than that per day !! Can somebody explain to me what's going on here?

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[djtech2k]

Well, there's many possibilities if this is a domain member. It could be a domain gpo or a local gpo. I would probably start with an rsop.msc to see what the event log settings are in the gpo.

As for size, I would 100% recommend that you NEVER allow the evt's to get larger than about 1.7GB. Once you get near 2GB's the evt's are unreadable. as for retention that is a decision to be made based on your auditing requirements. Your environment/SLA's should dictate that.

 

[gmail2]

Sorry, I probably should have been a bit clearer. The maximium log size is forced by GPO to 512KB (confirmed by RSOP) but like I said, they're growing larger - if they need to grow larger than 512KB shouldn't they stop logging and give a warning that the log is full?

What I meant by retention is how it decides how long to retain the records in the event log itself - like I said, our setting is to overwrite events older than seven days but currently there are records there older than a month. So at the moment, it seems that the logs are not obeying the limits that are set. I also have one DC on another domain, and when I checked just now the security log size is 4MB even though the setting is maximum size 512KB and overwrite events as needed. Any ideas what's going on?

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[gmail2]

please ... anybody?

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[djtech2k]

I do not know what the issue could be if it is the way you say it is. I have my GPO's setup for event logs and they work fine.

I do recall that there was a setting that would elad you to believe that it was a size limit, but it actually turned out to be a limit at which the logs dumped the existing logs to an alternate location and kept running. I cannot exactly remember it this second, but I know it exists. It was either like a gpo or registry value.

In any event, this setting would set it up so that once a limit was reached, the system would dump the existing logs to a location and keep logging.

 

[djtech2k]

Here's some decent info to read:

http://www.windowsnetworking.com/nt/registry/rtips61.shtml

 

[gmail2]

I do recall that there was a setting that would elad you to believe that it was a size limit, but it actually turned out to be a limit at which the logs dumped the existing logs to an alternate location and kept running

Really, you can do that? That could be quiet useful, thanks for the link - I'll have a look and let you know what I find out.

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau