We need to know which GPO setting takes precedence for retention of Windows server event logs?
As per Technet article http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx
The Windows settings in Computer Configuration\Policies\Adm
e Templates\Windows Components\Event Log Service take precedence over the Windows 2003 settings in Computer Configuration\Policies\Win
dows Settings\Security Settings\Event Log. Therefore if we configure the settings as below, according to this precedence rule, the log size will overrule the time rule. What happens therefore if the log reaches its maximum retention time e.g. 90 Days before it reaches the maximum size? Will the log be overwritten as per size settings, or will the Windows 2008 size setting take precedence and continue to grow the log until the maximum size?
Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service (Windows 2008 settings)
Maximum log size - Enable and set according to MS recommendations http://support.microsoft.com/kb/957662
Backup log automatically when full – Enable (Event Log file is automatically closed and renamed when it is full. A new file is then started)
Retain Old Events (Enable - When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost)
Computer Configuration\Policies\Windows Settings\Security Settings\Event Log (Windows 2003 settings)
Maximum Application Log Size (not defined)
Maximum Security Log Size (not defined)
Maximum System Log Size (not defined)
Retain Application Log for 365 Days
Retain Security Log for 90 Days
Retain System Log for 90 Days