Windows logs and Applications logs

Each Windows version has built-in Event logs. They are very useful to debug a problem, or audit some applications. You can view them with Event viewer (eventvwr.msc).

  • the Windows logs
  • the Applications logs. These logs depend of the applications/roles installed.

Every log is configured with a maximum size (for example default for Security is 20Mb). Once this size reached, the oldests events are removed, very bad for debugging!

You can configure settings with right-click > Properties or through GPO (more on that later in this article):

  • Maximum log size (KB): value between 1024 (1 MB) and 4194240 (4Gb). It also must be a multiple of 64KB. Please note that since certain versions of Windows, the maximum limit appears to have been increased to 2 TB.
  • Retention:
    • Overwrite events as needed: setting by default, the oldest events will be overwrite by the newest
    • Archive the log when full: the oldest logs will be archived in the same folder as the current log. By default, it is %SystemRoot%\System32\Winevt\Logs
    • Do not overwrite events: as it said, NEVER overwrite events. If maximum log size is reached, no new event log will be written.. be careful of this settings

Logs Settings path in registry

The settings are located in the registry in HKLM\SYSTEM\CurrentControlSet\Services\EventLog> ApplicationLogName

You can set a lot of settings (full list on Microsoft site). The most useful settings are in the table below.

NameTypeValue
MaxSizeDWORDMust be between 1024 (1 MB) and 4194240 (4Gb). Must be a multiple of 64KB Any non compliant value in the registry will reset the setting to the default log value
AutoBackupFilesDWORD0: no 1: *Archive the log when full*

Configure Windows logs with GPO

The GPO provides a way to manage settings in Computer Configuration/Administrative Templates/Windows Components/Event log Service

… But wait, where are the applications logs ? » Keep reading :).

Configure Applications logs with Group Policy Preferences

Applications logs can also be configured, but you have to modify the registry with Group Policy Preferences.

To configure the Group Policy Preferences, go to manage settings in Computer Configuration/Preferences/Windows Settings/Registry

In the example below, I want to increase remove Directory Service logs and archive oldest logs in case I need it (well, you know, these logs can be useful to audit any unsigned LDAP applications).

⚠️
Note: The registry keys below does not delete the logs; it creates an automatic backup (AutoBackupLogFiles setting enabled). The files therefore continue to accumulate and can fill up the disk in a few days depending on the volume generated. After analyzing the logs, you must restore the initial configuration or disable/delete the corresponding GPO.

Registry key to increase Directory log size to 1 GB:

  • Action: Update
  • Hive: HKEY\LOCAL\MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\EventLog\Directory Service
  • Value name: MaxSize
  • Value type: REG\DWORD
  • Value Data: 3E800000 hexadecimal (=1048576000 = 1Gb)

Registry key to back up logs (when the log reaches its maximum size, the system creates a backup copy instead of immediately overwriting old events):

  • Action: Update
  • Hive: HKEY\LOCAL\MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\EventLog\Directory Service
  • Value name: AutoBackupLogFiles
  • Value type: REG\DWORD
  • Value Data: 1

Wait GPO refresh (5 minutes for domain controllers, 30 minutes for others) or run gpupdate.

Some examples:

  • 1GB : 1048576000 (in MaxSize regedit) or 1048576 in Event log GUI
  • 2GB : 2097152000 (in regedit) or 2097152 in Event log GUI
  • 4GB : 4194240000 (in regedit) or 4194240 in Event log GUI
Windows
Previous Post Augmenter la taille des journaux Windows et Applications
Next Post Mitigate PetitPotam in Active Directory Certificate Services

Comments

banner-Bastien Perez
Bastien Perez's avatar

Freelance Microsoft 365 - Active Directory - Modern Workplace

France