GPO Log Retention does not work.

Posted on 2012-09-14
Last Modified: 2013-02-19
Team, I would like the following behavior on my Domain Controllers log collection:
-	Retain logs for 1 day.
-	Archive on full log.

I have made the following GPO Settings:
-	Computer Configurations/Policies/Windows Settings/Security Settings/Event Log /Retention method for security log: By days
-	Computer Configurations/Policies/Windows Settings/Security Settings/Event Log/Retain security log: 1 days
-	Windows Components/Event Log Service/Securityshow/Backup log automatically when full: Enabled  
-	Windows Components/Event Log Service/Securityshow/Retain old events: Enabled
I set the maximum log size to a large number to assure that there’s no way log fills up in a day.

What happens is: archives are created when reaching the maximum size,  however, events that are older than 1 day are not erased.

Any idea why? Is there a policy conflict?
Question by:mezen
    LVL 21

    Accepted Solution

    Can you us the gpresult tool to verify that the GPO is being applied and is not loosing precedence to another GPO?

    Author Comment

    I did, everything is how I planned. I'm not green with Group Policies, however my question is:

    Can two of the following settings co-exist?

    - Computer Configurations/Policies/Windows Settings/Security Settings/Event Log /Retention method for security log: By days - than I specify 1 day.

    - Windows Components/Event Log Service/Securityshow/Retain old events: Enabled
    LVL 21

    Expert Comment

    They are not compatible, but the behavior depends on how many events your security log  records per day.  If you have "retain old events" enabled, MS recommends you also use "Back up log automatically when full"

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now