Limit-EventLog - How to get DoNotOverwrite with Archive

TreyS 146 Reputation points

My goal is to enable the EventLog (Security) to "DoNotOverwrite" and use the built in archiving capability.

In the GUI, the three radio buttons are:

For the first option, "Overwrite as needed, Get-Eventlog returns:
Log : Security
EnableRaisingEvents : False
MaximumKilobytes : 131072
MinimumRetentionDays : 0
OverflowAction : OverwriteAsNeeded

The second and third options both return:
Log : Security
EnableRaisingEvents : False
MaximumKilobytes : 131072
MinimumRetentionDays : -1
OverflowAction : DoNotOverwrite

If I use Limit-EventLog with OverflowAction DoNotOverwrite, the GUI then shows the third option, (Clear logs manually) selected and Get-EventLog returns as shown above for options two and three.

What am I missing here. It looks like Limit-EventLog can/does not set the archiving option.

Would that option be available using WMI?

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,348 questions
0 comments No comments
{count} votes

Accepted answer
  1. Rich Matheisen 44,621 Reputation points

    Instead of using the Limit-EventLog try setting the registry directly.

1 additional answer

Sort by: Most helpful
  1. TreyS 146 Reputation points

    Again, thanks to Rich for guidance...

    I didn't find the registry value, set_log_to_archive_when_full

    But I did find this good reference article:

    Formatting on that page is a little weird, but there is a link to download as PDF.

    In the EventLog key is a key for each EventLog and each has a value, AutoBackupLogFiles. Zero is off. One is on. Setting it to one is reflected in the GUI with the second radio button, mentioned above, selected.

    0 comments No comments