Link to home
Start Free TrialLog in
Avatar of Bethanie
Bethanie

asked on

Retention of Windows server event logs - Precedence of Windows 2008 settings?

We need to know which GPO setting takes precedence for retention of Windows server event logs?

As per Technet article http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx 
The Windows settings in Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service take precedence over the Windows 2003 settings in  Computer Configuration\Policies\Windows Settings\Security Settings\Event Log. Therefore if we configure the settings as below, according to this precedence rule, the log size will overrule the time rule. What happens therefore if the log reaches its maximum retention time e.g. 90 Days before it reaches the maximum size? Will the log be overwritten as per size settings, or will the Windows 2008 size setting take precedence and continue to grow the log until the maximum size?

Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service (Windows 2008 settings)
Maximum log size  - Enable and set according to MS recommendations http://support.microsoft.com/kb/957662 
Backup  log automatically when full – Enable (Event Log file is automatically closed and renamed when it is full. A new file is then started)
Retain Old Events (Enable  - When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost)

Computer Configuration\Policies\Windows Settings\Security Settings\Event Log (Windows 2003 settings)
Maximum Application Log Size (not defined)
Maximum Security Log Size (not defined)
Maximum System Log Size (not defined)
Retain Application Log for 365 Days
Retain Security Log for 90 Days
Retain System Log for 90 Days
ASKER CERTIFIED SOLUTION
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Rhys Cleverly
Rhys Cleverly

HI,

I understand the above however am curious as to how you would work out days by retention on the new settings. Do you calculate by amount of events * size * days to work out the maximum size?

I effectively need to save these log files for 90 days and the new way of doing this doesnt make it clear im afraid

many thanks

Rhys