3.2.5.5 Event Log Policies

Article
06/24/2021

If the Key value is any value other than those listed as valid in the table in section 2.2.3, the client SHOULD stop processing Event Log policy settings and log an error.

Settings in Event Log Policies (section 2.2.3) are mapped to the Abstract Data Model as specified in [MS-EVEN] section 3.1.1.2, using the log name, which is the same as the header value (section 2.2.3), to determine the registry key whose values are to be updated:

Log Name	Registry Key
System Log	HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\System
Security Log	HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\Security
Application Log	HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\Application

The registry values in the right column of the following table are set to the value of the key in the left column specified in the Event Log Policies (section 2.2.3) settings.

Group Policy: Security Protocol Extension	EventLog Remoting Protocol
MaximumLogSize	MaxSize
AuditLogRetentionPeriod RetentionDays	Retention: AuditLogRetentionPeriod is "0": 0 AuditLogRetentionPeriod is "1": RetentionDays value converted to seconds AuditLogRetentionPeriod is "2": 0xFFFFFFFF
RestrictGuestAccess	RestrictGuestAccess

Group Policy: Security Protocol Extension

EventLog Remoting Protocol

MaximumLogSize

MaxSize

AuditLogRetentionPeriod

RetentionDays

Retention:

AuditLogRetentionPeriod is "0": 0
AuditLogRetentionPeriod is "1": RetentionDays value converted to seconds
AuditLogRetentionPeriod is "2": 0xFFFFFFFF

RestrictGuestAccess

3.2.5.5 Event Log Policies

Additional resources