Event Log Configuration

Production servers require a lot of attention and configuration before they are ready to be put into service. For this article we’ll work on an oft overlooked configuration item for new servers – Event Logs. Why event Logs? Event Logs are one of the first places a server admin looks in order to troubleshoot a server issue or confirm a particular action has occurred.
Core Event Logs on a Windows server are Application, Security and System. These three are typically also the first place to begin troubleshooting a particular issue with a server:

How can we manipulate and query these log files with PowerShell?

PowerShell

What PowerShell cmdlets exist for manipulating Event Logs? These cmdlets can be found with the Get-Command:
[sourcecode language=”powershell”]
Get-Command *eventLog*
[/sourcecode]
This reveals nine PowerShell cmdlets:
[sourcecode language=”powershell”]
Get-EventLogLevel
Set-EventLogLevel
Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog
[/sourcecode]
When I first saw these cmdlets, the one cmdlet that stuck out was the ‘limit-eventlog’ cmdlet. Limit is not a typical verb used in Microsoft PowerShell. If we were creating a standardized naming convention I would think these verbs would do – Get, New, Remove, Set. Others listed make sense for their particular function – Clear-EventLog and Write-EventLog. However I need to resize the logs, which cmldet do I choose since there is not Set-EventLog? Limit-EventLog is the cmdlet we need to make these changes.
First we can review the PowerShell help for the cmdlet, like so:
[sourcecode language=”powershell”]
Get-Help Limit-EventLog -Full
[/sourcecode]
Parameters for Limit-EventLog:
[sourcecode language=”powershell”]
LogName
ComputerName
RetentionDays
OverflowAction – OverwriteOlder | OverwriteAsNeeded | DoNotOverwrite
MaximumSize
[/sourcecode]
For an example environment I want to configure the mail Windows Event Logs to 100MB and to over write as the log needs too to keep the size at 100MB. We can simply use three of the above parameters to do this:

LogName – This switch lets you specify which log file to use. It is required.
OverflowAction – specified how to handle this in the case where the events in the log exceed a certain size (MaixumumSize) or a certain number of days (RetentionDays).
MaximumSize – choose the maximum size of the event log you specified with – LogName. Caveat here, must be divisible by 32 Bytes. So 100MB, would be 100032kb.

For a sample setup, the IT manager would like to set each server’s three core Event Logs to 100MB in size and that the Event Logs should be rolling logs where newer events overwrite older events. In terms of a single server, we can plug in the log name, maximum size and over flow action into three different cmdlets:
[sourcecode language=”powershell”]
Limit-EventLog -LogName Application -MaximumSize 100032Kb -OverflowAction OverwriteAsNeeded
Limit-EventLog -LogName System -MaximumSize 100032Kb -OverflowAction OverwriteAsNeeded
Limit-EventLog -LogName Security -MaximumSize 100032Kb -OverflowAction OverwriteAsNeeded
[/sourcecode]
Now if we wanted to apply this to a group of servers, we can use a CSV files and a Foreach loop to apply these settings en masse:
[sourcecode language=”powershell”]
$CSV = Import-CSV 'Servers.Csv'
Foreach ($Line in $CSV) {
$Server = $Line.Server
Limit-EventLog -ComputerName $Server -LogName Application -MaximumSize 100032Kb -OverflowAction OverwriteAsNeeded
Limit-EventLog -ComputerName $Server -LogName System -MaximumSize 100032Kb -OverflowAction OverwriteAsNeeded
Limit-EventLog -ComputerName $Server -LogName Security -MaximumSize 100032Kb -OverflowAction OverwriteAsNeeded
}
[/sourcecode]
While 100 MB is a good size for event logs, the absolute limit is 4GB for each and up to 16GB for a modern Windows OS (in 2018). For your own environment there could be other factors at play in terms of how a server’s Event Logs should be sized:

  • Do you use centralized logging?
  • Is 100MB sufficient for troubleshooting, or are events being overwritten within a day or 12 hours where the events logged are not sufficient for troubleshooting server issues.

Additional Event Logs can be found with ‘Get-EventLog -List’. A sample listing from a Windows 2019 Server (with Exchange installed on it):

In summary, changing your event log sizes can be performed in PowerShell and should be sized / customized for your environment. In addition to using PowerShell, you can utilize Desired State Configuration (DSC) as outlined here – Scripting Guys.

Related Post