Share via

Event-Log Retention days instead of size

MirandaVeracruz 116 Reputation points
2021-06-04T15:26:35.957+00:00

Hi there,

I'd like to know if there is a possibility to change Windows-Eventlog-retention from "max size xy KB" to "max xy days". I know there is a GPO named "Retention method for application/security/system log" and "Retain application/security/system log" in Security-Settings\Event Log but obviously it does not work :-(

I created a policy to change this settings to 90 days. The policy has been applied correctly but I still see events in Event Viewer that are much older than 90 days.

Regards
Miranda

Windows for business | Windows Server | User experience | Other

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-06-07T06:50:37.61+00:00

    Hi,
    Based on my understanding, size and time are two different aspects of event logs, and you can make the modification through group policy. Please take a look at this article and see if it helps:
    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/0b9673a7-ce0a-49b4-912b-591efdb37cdf

    Thanks for your time.
    Best regards,
    Danny

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. MirandaVeracruz 116 Reputation points
    2021-06-08T12:52:06.35+00:00

    Hi,

    sorry answer was not helpful...

    I have already setup the Policy with the setting "Retention method for application/security/system log" and "Retain application/security/system log" to 90 days in Security-Settings\Event Log but on a machine that has the policy applied I still see much older entries in event-log.

    ![103384-image.png]1

    Whats wrong?

    Regards
    Miranda

    0 comments
  3. Anonymous
    2021-06-09T02:32:21.507+00:00

    Hi,
    I’m not sure if this would be the cause, but would you check if the marked part of the settings?
    As far as I’m concerned, if you choose to clear the logs manually, unless you do it, the old logs won’t be overwritten:
    103608-image.png
    For your reference:
    https://helpcenter.netwrix.com/NA/Configure_IT_Infrastructure/File_Servers/Windows_Shares/WSh_EventLog.html
    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Thanks for your time.
    Best regards,
    Danny

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. MirandaVeracruz 116 Reputation points
    2021-06-10T08:31:53.973+00:00

    we have "overwrite as needed" already set ... but still events from 2020

  5. MirandaVeracruz 116 Reputation points
    2021-06-10T08:43:51.787+00:00

    that's what I'm now trying. Have set the policy to retain application logs for 1 day. Will check on monday...
    Cheers

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.