Hello,
I've already asked that question but since it hasn't yet been answered and I've run out of ideas please let me ask it again.
There's the Windows server 2012 R2 DC with the GPO defining the size of the event logs:
There's the Windows Server 2016 member server that has this gpo successfully applied:
But it does not help to change the size of Server's logs:
???
Thank you in advance,
Michael
AFAIK setting the options via GPO doesn't change the per-log settings. They are 2 different settings. The eventing subsystem will use the GPO settings if they are set (size, retention, etc) or use the log settings otherwise. Looking at your screenshot it looks like you're allowing your logs to get as big as 1GB so they should grow until they get there. The security log is the only one getting close to its locally configured max of 204MB. It should go past that once the GPO takes effect. However I'm assuming the GPO settings have replicated to that server and nothing else is overwriting them.
"setting the options via GPO doesn't change the per-log settings." ??? It does - the values depicted above are the MAXIMUM size of the logs - those values should change right after applying a gpo. I've just made the same test in my second network (Windows Server 2008R2) - all worked perfect (the MAXIMUM size of the logs has been changed immediately!
So if you set the GPO to retain the log and then switch over to the log settings the UI has updated to use that setting? That would seem odd to me. The UI shows you the log settings, not the runtime configured settings that is being applied by the GPO. That is why articles (e.g. https://helpcenter.netwrix.com/NA/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html#:~:text=Using%20Group%20Policy&text=Open%20the%20Group%20Policy%20Management,usually%20set%20to%204194240%20KB.) on setting log options specifically say that you need to ensure the GPO settings aren't overwriting the log settings. The logs UI is showing you the "local" log settings, not the setting that will ultimately be used by the eventing system based upon policies.
So are your logs actually getting truncated at the lower value set by the log UI or are they growing up to the max set by the GPO policy?
"So if you set the GPO to retain the log and then switch over to the log settings the UI has updated to use that setting?" - no to retain, if I set the maximum log size in GPO that GPO setting is immediately applied to the client is reflected in UI:
Hi,
Please check the registry key values on the target 2016 Server.
If the GPO is applied successfully, below values should be updated correctly. You can check if the values are the number you have set in GPO. If not, it means the GPO is not correctly applied.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log name>\MaxSize
<log name> should be Application, System and Security
You can follow the steps in below link to try other GPO settings to see if the issue could be resolved.
https://helpcenter.netwrix.com/NA/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html
Thanks,
Eleven
If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.
"Please check the registry key values on the target 2016 Server." - I've already done it, that's why I'm saying "I've run out of ideas"... :(((
"So if you set the GPO to retain the log and then switch over to the log settings the UI has updated to use that setting?" - not to retain, if I set the maximum log size in GPO, that GPO setting is immediately applied to the client and is reflected in UI:
You might need to capture some dumps or traces to further investigate the issue, which I suggest to contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
You may find phone number for your region accordingly from the link below:
Global Customer Service phone numbers
https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers
Hello ElevenYu-MSFT,
Thank you for the reply!
A couple of days ago I added a new Windows Server 2019 box to the OU (the same policy is applied) and checked the logs size: the policy is applied (the values in the registry have changed accordingly) but the size of the logs remain the same so I think it's a bug.
Regards,
Michael
Thanks for your update. We suggest that you could report this issue to Windows Server Uservoice where developing engineers will have a regular on users' feedback.
https://windowsserver.uservoice.com/forums/295047-general-feedback
We will also post it to our product team to see if there is any related known issue.
10 people are following this question.
