Windows logs and Applications logs
Each Windows version has built-in Event logs. They are very useful to debug a problem, or audit some applications. You can view them with Event viewer (eventvwr.msc).
The Windows logs:
The Applications logs. These logs depend of the applications/roles installed:
Every log is configured with a maximum size (for example default for Security is 20Mb). Once this size reached, the oldests events are removed, very bad for debugging!
You can configure settings with right-click>Properties or through GPO (more on that later in this article):
- Maximum log size (KB): value between 1024 (1 MB) and 4194240 (4Gb). It also must be a multiple of 64KB
- Overwrite events as needed: setting by default, the oldest events will be overwrite by the newest
- Archive the log when full: the oldest logs will be archived in the same folder as the current log. By default, it is %SystemRoot%\System32\Winevt\Logs
- Do not overwrite events: as it said, NEVER overwrite events. If maximum log size is reached, no new event log will be written.. be careful of this settings
Logs Settings path in registry
The settings are located in the registry in HKLM\SYSTEM\CurrentControlSet\Services\EventLog> ApplicationLogName>
You can set a lot of settings (full list on Microsoft site). The most useful settings are in the table below.
|MaxSize||DWORD||Must be between 1024 (1 MB) and 4194240 (4Gb). Must be a multiple of 64KB Any non compliant value in the registry will reset the setting to the default log value|
|AutoBackupFiles||DWORD||0: no 1: *Archive the log when full*|
Configure Windows logs with GPO
The GPO provides a way to manage settings in Computer Configuration/Administrative Templates/Windows Components/Event log Service
… »But wait, where are the applications logs ? » Keep reading :).
Configure Applications logs with Group Policy Preferences
Applications logs can also be configured, but you have to modify the registry with Group Policy Preferences.
To configure the Group Policy Preferences, go to manage settings in Computer Configuration/Preferences/Windows Settings/Registry
In the example below, I want to increase remove Directory Service logs and archive oldest logs in case I need it (well, you know, these logs can be useful to audit any unsigned LDAP applications).
Writer note: please bear in mind the example presented here will NOT remove logs, so your disk can be full in days (depend on your logs). Once you have done with the logs, rollback the settings or disable/delete the GPO.
- Action: Update
- Hive: HKEY_LOCAL_MACHINE
- Key Path: SYSTEM\CurrentControlSet\Services\EventLog\Directory Service
- Value name: MaxSize
- Value type: REG_DWORD
- Value Data: 3E800000 hexadecimal (=1048576000 = 1Gb)
!(../../uploads/2020/01/image-10.png)- Action: **Update** - Hive: **HKEY\_LOCAL\_MACHINE** - Key Path: **SYSTEM\CurrentControlSet\Services\EventLog\Directory Service** - Value name: **AutoBackupLogFiles** - Value type: **REG\_DWORD** - Value Data: **1**
Wait GPO refresh (5 minutes for domain controllers, 30 minutes for others) or run gpupdate.
Here the result in the propertie after the GPO applying: