Set Log Retention Policy

Applies To: Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Vista

Events are stored in a log file that can grow only to a configurable maximum size. After the file has reached its maximum size, what happens to incoming events is determined by the log retention policy. The available log retention policies are as follows:

Retention Policy Description

Overwrite events as needed.

New events continue to be stored when the log file is full. Each new incoming event replaces the oldest event in the log.

Archive the log when full, do not overwrite events.

The log is automatically archived when necessary. No events are overwritten.

Do not overwrite events. (Clear logs manually.)

Clear the log manually rather than automatically.

You can set the log retention policy by using the Windows interface or the Wevtutil command-line tool.

To set the log retention policy by using the Windows interface

  1. Start Event Viewer.

  2. In the console tree, navigate to and select the event log you want to manage.

  3. On the Action menu, click Properties .

  4. In the Enable Logging section of the General tab, select the option that corresponds to the retention policy you want to set.

  5. Click OK .

To set the retention policy by using a command line

  1. To open a command prompt, click Start , click Run , type cmd , and click OK .

  2. Type the following command:

    wevtutil sl <LogName> /r:{true | false} /ab:{true | false}
    

The 'r' parameter specifies whether to retain the log and the 'ab' parameter specifies whether to automatically back up the log. The following list shows the parameter values of the Wevtutil command-line tool that correspond to each of the above retention policies.

  • Overwrite events as needed: r = false, ab = false

  • Archive the log when full, do not overwrite events: r = true, ab = true

  • Do not overwrite events. (Clear logs manually.): r = true, ab = false

To view the complete syntax for this command, type the following command:

wevtutil sl -?

Additional considerations

  • You must be a member of the Administrators group to set the log retention policy.

Additional references