Re: Event Log Settings



"Retain X days" is a crazy setting and you should avoid it.

If your policy is "retain X days", then when the log fills and a new event
occurs, it will overwrite events older than X days. If there are no events
older than X days in the log, the NEW event will be thrown away. You will
likely see gaps all over your log.

"Overwrite as needed" or "Clear manually" are the best options. "Clear
manually" is best with CrashOnAuditFail (if you are serious about not losing
events) or AutoBackupLogFiles.

Best regards,
Eric


--
This information is provided "AS-IS" with no warranty, and confers no
rights.


"Seeker" <newsgroups@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FCSug.118$uH6.36@xxxxxxxxxxxxxxxxxxxxxxx
In Group Policy, I have these defined:

Maximum security log size 81920
Retain security log 7 days (<-- overwrite events
older than)
Retention method for security log As needed (<-- overwrite events
as needed. The option two options are 'Overwrite events by days' and
'Do not overwrite events')

So what happens if the security log grows to be 8200kb but is more than
7 days old? Does 'as needed' apply to wrapping the events based on
maximum log size, while 'Overwrite events older than 7 days' only
applied if 'Retention method for security logs' is set to 'Overwrite
events by days'?


.