[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6758
  • Last Modified:

Retention of Windows server event logs - Precedence of Windows 2008 settings?

We need to know which GPO setting takes precedence for retention of Windows server event logs?

As per Technet article http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx 
The Windows settings in Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service take precedence over the Windows 2003 settings in  Computer Configuration\Policies\Windows Settings\Security Settings\Event Log. Therefore if we configure the settings as below, according to this precedence rule, the log size will overrule the time rule. What happens therefore if the log reaches its maximum retention time e.g. 90 Days before it reaches the maximum size? Will the log be overwritten as per size settings, or will the Windows 2008 size setting take precedence and continue to grow the log until the maximum size?

Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service (Windows 2008 settings)
Maximum log size  - Enable and set according to MS recommendations http://support.microsoft.com/kb/957662 
Backup  log automatically when full – Enable (Event Log file is automatically closed and renamed when it is full. A new file is then started)
Retain Old Events (Enable  - When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost)

Computer Configuration\Policies\Windows Settings\Security Settings\Event Log (Windows 2003 settings)
Maximum Application Log Size (not defined)
Maximum Security Log Size (not defined)
Maximum System Log Size (not defined)
Retain Application Log for 365 Days
Retain Security Log for 90 Days
Retain System Log for 90 Days
2 Solutions
Krzysztof PytkoActive Directory EngineerCommented:
Unfortunately these policies do not imply together :/
When you set up: back up when log is full then it awaits to fill whole log
Using time it is not aware of log size :/ You need to then ensure if log size is big enough to store whole event logs

Microsoft suggests to not set up "Retain event logs" policy

So, you need to ensure which option is much more useful to you :)

Sushil SonawaneCommented:
The log be overwritten as per size settings becuase domain policy override on local policy.

These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2) Site, (3) Domain, (4) OU, with the later policies being superior to the earlier applied policies. Local Group Policy Objects are processed first, and then domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, local Group Policy is applied.

Please below article for more information.

Rhys CleverlyCommented:

I understand the above however am curious as to how you would work out days by retention on the new settings. Do you calculate by amount of events * size * days to work out the maximum size?

I effectively need to save these log files for 90 days and the new way of doing this doesnt make it clear im afraid

many thanks


Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now