Size of the Event Viewer logs

Mikhail Firsov 1,876 Reputation points
2021-01-22T14:31:13.503+00:00

Hello,
I've already asked that question but since it hasn't yet been answered and I've run out of ideas please let me ask it again.

There's the Windows server 2012 R2 DC with the GPO defining the size of the event logs:
59590-q.png

There's the Windows Server 2016 member server that has this gpo successfully applied:
59580-q1-1.png

But it does not help to change the size of Server's logs:
59642-q2.png

???

Thank you in advance,
Michael

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,470 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,377 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,532 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,170 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,681 Reputation points Microsoft Vendor
    2021-01-25T03:11:10.63+00:00

    Hi,

    Please check the registry key values on the target 2016 Server.

    If the GPO is applied successfully, below values should be updated correctly. You can check if the values are the number you have set in GPO. If not, it means the GPO is not correctly applied.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log name>\MaxSize
    <log name> should be Application, System and Security

    You can follow the steps in below link to try other GPO settings to see if the issue could be resolved.
    https://helpcenter.netwrix.com/NA/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html

    Thanks,

    Eleven

    If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

    1 person found this answer helpful.
    0 comments
  2. Michael Taylor 48,576 Reputation points
    2021-01-22T15:25:57.017+00:00

    AFAIK setting the options via GPO doesn't change the per-log settings. They are 2 different settings. The eventing subsystem will use the GPO settings if they are set (size, retention, etc) or use the log settings otherwise. Looking at your screenshot it looks like you're allowing your logs to get as big as 1GB so they should grow until they get there. The security log is the only one getting close to its locally configured max of 204MB. It should go past that once the GPO takes effect. However I'm assuming the GPO settings have replicated to that server and nothing else is overwriting them.

    0 comments
  3. Mikhail Firsov 1,876 Reputation points
    2021-01-22T15:32:14.467+00:00

    "setting the options via GPO doesn't change the per-log settings." ??? It does - the values depicted above are the MAXIMUM size of the logs - those values should change right after applying a gpo. I've just made the same test in my second network (Windows Server 2008R2) - all worked perfect (the MAXIMUM size of the logs has been changed immediately!

  4. Mikhail Firsov 1,876 Reputation points
    2021-01-25T08:27:37.467+00:00

    "Please check the registry key values on the target 2016 Server." - I've already done it, that's why I'm saying "I've run out of ideas"... :(((

    60080-q3.png

    0 comments
  5. Mikhail Firsov 1,876 Reputation points
    2021-01-25T08:29:41.357+00:00

    "So if you set the GPO to retain the log and then switch over to the log settings the UI has updated to use that setting?" - not to retain, if I set the maximum log size in GPO, that GPO setting is immediately applied to the client and is reflected in UI:

    60060-q21.png