Bethanie
asked on
Retention of Windows server event logs - Precedence of Windows 2008 settings?
We need to know which GPO setting takes precedence for retention of Windows server event logs?
As per Technet article http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx
The Windows settings in Computer Configuration\Policies\Adm inistrativ e Templates\Windows Components\Event Log Service take precedence over the Windows 2003 settings in Computer Configuration\Policies\Win dows Settings\Security Settings\Event Log. Therefore if we configure the settings as below, according to this precedence rule, the log size will overrule the time rule. What happens therefore if the log reaches its maximum retention time e.g. 90 Days before it reaches the maximum size? Will the log be overwritten as per size settings, or will the Windows 2008 size setting take precedence and continue to grow the log until the maximum size?
Computer Configuration\Policies\Adm inistrativ e Templates\Windows Components\Event Log Service (Windows 2008 settings)
Maximum log size - Enable and set according to MS recommendations http://support.microsoft.com/kb/957662
Backup log automatically when full – Enable (Event Log file is automatically closed and renamed when it is full. A new file is then started)
Retain Old Events (Enable - When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost)
Computer Configuration\Policies\Win dows Settings\Security Settings\Event Log (Windows 2003 settings)
Maximum Application Log Size (not defined)
Maximum Security Log Size (not defined)
Maximum System Log Size (not defined)
Retain Application Log for 365 Days
Retain Security Log for 90 Days
Retain System Log for 90 Days
As per Technet article http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx
The Windows settings in Computer Configuration\Policies\Adm
Computer Configuration\Policies\Adm
Maximum log size - Enable and set according to MS recommendations http://support.microsoft.com/kb/957662
Backup log automatically when full – Enable (Event Log file is automatically closed and renamed when it is full. A new file is then started)
Retain Old Events (Enable - When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost)
Computer Configuration\Policies\Win
Maximum Application Log Size (not defined)
Maximum Security Log Size (not defined)
Maximum System Log Size (not defined)
Retain Application Log for 365 Days
Retain Security Log for 90 Days
Retain System Log for 90 Days
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I understand the above however am curious as to how you would work out days by retention on the new settings. Do you calculate by amount of events * size * days to work out the maximum size?
I effectively need to save these log files for 90 days and the new way of doing this doesnt make it clear im afraid
many thanks
Rhys