How to set Event Log limits with PowerShell

• Author
• Recent Posts

Jeffery Hicks

Jeff Hicks is a long-time Microsoft MVP specializing in PowerShell and automation. He creates PowerShell content for Pluralsight and blogs regularly at https://jdhitsolutions.com/blog. Jeff's latest project is a premium content newsletter at jeffhicks.substack.com Follow him on Twitter as @jeffhicks.

Latest posts by Jeffery Hicks (see all)

• Use PowerShell splatting and PSBoundParameters to pass parameters - Wed, Nov 9 2022
• Using PowerShell with $PSStyle - Mon, Jan 24 2022
• Clean up user profiles with PowerShell - Mon, Jun 9 2014

Before we get to that, let me point out that most everything I’m going to discuss can be configured with Group Policy. If you think that topic merits coverage on the site, be sure to leave a comment and let me know. But, I also realize there are many shops that still don’t use Group Policy. Or you may have some servers that don’t fall into a scope of management. In these situations, PowerShell can help. All you need is PowerShell 2.0 with remoting enabled and management access via WMI.

We are also only going to focus on classic Event Logs like System and Application. These are the ones that tend to need the most attention anyway.

Checking limits

The first thing is to see what you have so far using the Get-Eventlog cmdlet. The cmdlet has –List parameter which does exactly what it says: it lists current Event Log information.

PS C:\> get-eventlog -list -ComputerName chi-dc01

With this command I am listing all the Event Logs on CHI-DC01.

List Event Logs

As with many things in PowerShell, the information displayed is not necessarily reflective of the underlying object properties. In this case, many of the table headings are customized and the values calculated. To retrieve a single log, you will need to pipe the command to Where-Object.

PS C:\> get-eventlog -list -ComputerName chi-dc01 | where {$_.log -eq 'system'}

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  16,384     30 OverwriteOlder        33,712 System

If we can do it for 1 we can do it for 2 or 200. Let’s check the System Event Log on all my domain controllers.

PS C:\> get-eventlog -list -ComputerName chi-dc01,chi-dc02,chi-dc04 | where {$_.log -eq 'system'} | Select Machinename,Log,MaximumKilobytes,MinimumRetentionDays,@{Name="Entries";Expression={$_.Entries.count}},OverflowAction | format-table –auto

In this command I’m using the actual property names and a calculated property for the number of entries. You can see the results.

Check the System Event Log on multiple computers

You can also get similar information using WMI, including some additional information not available with Get-Eventlog.

$logs = Get-WmiObject Win32_NTEventlogfile -filter "logfilename='system'" -computer chi-dc01,chi-dc02,chi-dc04
$logs | Select @{Name="Computername";Expression={$_.CSName}},LogFileName,
FileSize,NumberOfRecords,@{Name="MaxMB";Expression={$_.MaxFileSize/1MB}},
@{Name="PercentUsed";Expression={ ($_.filesize/$_.maxfilesize)*100 -as [int]}},
@{Name="Created";Expression={$_.ConvertToDateTime($_.CreationDate)}},
@{Name="Modified";Expression={$_.ConvertToDateTime($_.Lastmodified)}} |
Out-GridView -title "System Event Log Summary"

The WMI class includes file system information so I can calculate how much of the log is being used. My expression is piping the output to Out-Gridview to make it easier to see which would be especially if looking at many servers. The other perk is that it is easier to sort simply by clicking on a column heading as I’ve done here.

System Event Log Summary

Looks like the log on CHI-DC02 needs some attention. I’ll eventually get to that.

Setting new limits

Now that I know what I have, I can change it with Limit-Eventlog. I want to set the size of the system event log to 32MB, overwrite older entries and retain for 21 days. Options for the OverflowAction are DoNotOverwrite, OverwriteAsNeeded, and OverwriteOlder. The maximum size limit must be between 64K and 4GB and divisible by 64KB. Also, please be aware that modifying event log limits might mean the loss of Event Log entries so plan accordingly.

To make things easier I’m going to create a hash table of parameters that I can splat to Limit-Eventlog.

$limitParam = @{
  Maximumsize = 32MB
  logname = "System"
  RetentionDays = 21
  OverflowAction = "OverwriteOlder"
}

Unfortunately, using multiple computer names appears to be slightly buggy. So instead I’ll process each computer individually in a ForEach loop which gives me the added benefit of tracking progress.

$computers = "chi-dc01","chi-dc02","chi-dc04"

foreach ($computer in $computers) {
 Write-Host "Setting limits on $($limitParam.logname) log on $($Computer.ToUpper())" -ForegroundColor Cyan

 #add the computer to the hashtable
 $limitParam.Computername = $computer

 Limit-EventLog @limitParam
 Get-Eventlog -list -computer $computer | where {$_.Log -eq $limitparam.logname}
}

And just like that I’ve configured the System Event Log on 3 servers in literally seconds.

Setting Limit-Eventlog on multiple computers

Summary

You could scale these techniques to configure multiple Event Logs on many, many servers and desktops. I encourage you to read the full help and examples for all the cmdlets I’ve used in this article. Next time we’ll look at backing up an Event Log using PowerShell so that ultimately we can clear it out.