question

MikhailFirsov-1277 avatar image
1 Vote"
MikhailFirsov-1277 asked ·

Size of the Event Viewer logs

Hello,
I've already asked that question but since it hasn't yet been answered and I've run out of ideas please let me ask it again.

There's the Windows server 2012 R2 DC with the GPO defining the size of the event logs:
59590-q.png

There's the Windows Server 2016 member server that has this gpo successfully applied:
59580-q1-1.png

But it does not help to change the size of Server's logs:
59642-q2.png

???

Thank you in advance,
Michael


windows-serverwindows-server-2016windows-server-2019windows-server-2012
q.png (45.0 KiB)
q1.png (58.0 KiB)
q2.png (44.0 KiB)
q1-1.png (58.1 KiB)
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cooldadtx avatar image
1 Vote"
cooldadtx answered ·

AFAIK setting the options via GPO doesn't change the per-log settings. They are 2 different settings. The eventing subsystem will use the GPO settings if they are set (size, retention, etc) or use the log settings otherwise. Looking at your screenshot it looks like you're allowing your logs to get as big as 1GB so they should grow until they get there. The security log is the only one getting close to its locally configured max of 204MB. It should go past that once the GPO takes effect. However I'm assuming the GPO settings have replicated to that server and nothing else is overwriting them.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
1 Vote"
MikhailFirsov-1277 answered ·

"setting the options via GPO doesn't change the per-log settings." ??? It does - the values depicted above are the MAXIMUM size of the logs - those values should change right after applying a gpo. I've just made the same test in my second network (Windows Server 2008R2) - all worked perfect (the MAXIMUM size of the logs has been changed immediately!

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So if you set the GPO to retain the log and then switch over to the log settings the UI has updated to use that setting? That would seem odd to me. The UI shows you the log settings, not the runtime configured settings that is being applied by the GPO. That is why articles (e.g. https://helpcenter.netwrix.com/NA/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html#:~:text=Using%20Group%20Policy&text=Open%20the%20Group%20Policy%20Management,usually%20set%20to%204194240%20KB.) on setting log options specifically say that you need to ensure the GPO settings aren't overwriting the log settings. The logs UI is showing you the "local" log settings, not the setting that will ultimately be used by the eventing system based upon policies.

So are your logs actually getting truncated at the lower value set by the log UI or are they growing up to the max set by the GPO policy?

1 Vote 1 ·

"So if you set the GPO to retain the log and then switch over to the log settings the UI has updated to use that setting?" - no to retain, if I set the maximum log size in GPO that GPO setting is immediately applied to the client is reflected in UI:

60157-q21.png


1 Vote 1 ·
q21.png (149.3 KiB)
ElevenYu-MSFT avatar image
1 Vote"
ElevenYu-MSFT answered ·

Hi,

Please check the registry key values on the target 2016 Server.

If the GPO is applied successfully, below values should be updated correctly. You can check if the values are the number you have set in GPO. If not, it means the GPO is not correctly applied.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log name>\MaxSize
<log name> should be Application, System and Security

You can follow the steps in below link to try other GPO settings to see if the issue could be resolved.
https://helpcenter.netwrix.com/NA/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html

Thanks,
Eleven


If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
1 Vote"
MikhailFirsov-1277 answered ·

"Please check the registry key values on the target 2016 Server." - I've already done it, that's why I'm saying "I've run out of ideas"... :(((

60080-q3.png



q3.png (46.2 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
1 Vote"
MikhailFirsov-1277 answered ·

"So if you set the GPO to retain the log and then switch over to the log settings the UI has updated to use that setting?" - not to retain, if I set the maximum log size in GPO, that GPO setting is immediately applied to the client and is reflected in UI:

60060-q21.png




q21.png (149.3 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You might need to capture some dumps or traces to further investigate the issue, which I suggest to contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
 
You may find phone number for your region accordingly from the link below:
Global Customer Service phone numbers
https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

1 Vote 1 ·
MikhailFirsov-1277 avatar image
1 Vote"
MikhailFirsov-1277 answered ·

Hello ElevenYu-MSFT,

Thank you for the reply!

A couple of days ago I added a new Windows Server 2019 box to the OU (the same policy is applied) and checked the logs size: the policy is applied (the values in the registry have changed accordingly) but the size of the logs remain the same so I think it's a bug.

Regards,
Michael

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your update. We suggest that you could report this issue to Windows Server Uservoice where developing engineers will have a regular on users' feedback.
https://windowsserver.uservoice.com/forums/295047-general-feedback

We will also post it to our product team to see if there is any related known issue.

1 Vote 1 ·
MikhailFirsov-1277 avatar image
1 Vote"
MikhailFirsov-1277 answered ·
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.