Re: Event Log Settings



"Retain X days" is a crazy setting and you should avoid it.

If your policy is "retain X days", then when the log fills and a new event
occurs, it will overwrite events older than X days. If there are no events
older than X days in the log, the NEW event will be thrown away. You will
likely see gaps all over your log.

"Overwrite as needed" or "Clear manually" are the best options. "Clear
manually" is best with CrashOnAuditFail (if you are serious about not losing
events) or AutoBackupLogFiles.

Best regards,
Eric


--
This information is provided "AS-IS" with no warranty, and confers no
rights.


"Seeker" <newsgroups@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FCSug.118$uH6.36@xxxxxxxxxxxxxxxxxxxxxxx
In Group Policy, I have these defined:

Maximum security log size 81920
Retain security log 7 days (<-- overwrite events
older than)
Retention method for security log As needed (<-- overwrite events
as needed. The option two options are 'Overwrite events by days' and
'Do not overwrite events')

So what happens if the security log grows to be 8200kb but is more than
7 days old? Does 'as needed' apply to wrapping the events based on
maximum log size, while 'Overwrite events older than 7 days' only
applied if 'Retention method for security logs' is set to 'Overwrite
events by days'?


.



Relevant Pages

  • Re: SECURITY LOG IS FULL MESSAGE
    ... >> Rume; ... Clearing the>> log is one way to free the log and start recording new events]]>> ... To overwrite events, on the Action menu,>> click Properties, and then click Overwrite events as needed. ... Sometimes they receive the following>>> message when they try to logon: Security log is full>>> contact your System Administrator. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Event Viewer stopped logging security audit
    ... of when "maximum log size is reached" in the properties of the security log. ... The options are - overwrite events as needed, ... > event viewer in the section Security. ... I checked the auditing event to see ...
    (microsoft.public.win2000.security)
  • Re: Limited User Logon Problem
    ... "Overwrite events older than 7 days," and "Audit: ... when the Security Log file got full, ... prompt appear and locked me out of the limited user account. ... and I was able to logon. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Really no answer?
    ... >Sometimes helps if you clear the security log. ... >its setting to "overwrite events as necessary". ... >HTH ... flakey, possibly related to the fact that WMI thinks it needs to ...
    (microsoft.public.windowsxp.security_admin)
  • Event Log Settings
    ... In Group Policy, I have these defined: ... So what happens if the security log grows to be 8200kb but is more than ... while 'Overwrite events older than 7 days' only ... applied if 'Retention method for security logs' is set to 'Overwrite ...
    (microsoft.public.security)