Instead of using the Limit-EventLog try setting the registry directly.
set_log_to_archive_when_full
Limit-EventLog - How to get DoNotOverwrite with Archive
My goal is to enable the EventLog (Security) to "DoNotOverwrite" and use the built in archiving capability.
In the GUI, the three radio buttons are:
For the first option, "Overwrite as needed, Get-Eventlog returns:
Log : Security
EnableRaisingEvents : False
MaximumKilobytes : 131072
MinimumRetentionDays : 0
OverflowAction : OverwriteAsNeeded
The second and third options both return:
Log : Security
EnableRaisingEvents : False
MaximumKilobytes : 131072
MinimumRetentionDays : -1
OverflowAction : DoNotOverwrite
If I use Limit-EventLog with OverflowAction DoNotOverwrite, the GUI then shows the third option, (Clear logs manually) selected and Get-EventLog returns as shown above for options two and three.
What am I missing here. It looks like Limit-EventLog can/does not set the archiving option.
Would that option be available using WMI?
-
Rich Matheisen 45,906 Reputation points
2020-11-20T22:31:35.177+00:00
1 additional answer
Sort by: Most helpful
-
TreyS 166 Reputation points
2020-11-21T17:43:21.913+00:00 Again, thanks to Rich for guidance...
I didn't find the registry value, set_log_to_archive_when_full
But I did find this good reference article:
https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-keyFormatting on that page is a little weird, but there is a link to download as PDF.
In the EventLog key is a key for each EventLog and each has a value, AutoBackupLogFiles. Zero is off. One is on. Setting it to one is reflected in the GUI with the second radio button, mentioned above, selected.