Event logs are terrific management tools, but they themselves require a little attention every now and then. You may need to configure a log to control size and number of entries. Many IT Pros probably accept the default values and don’t think much about it. But for the rest of you, let me demonstrate over the course of a few articles on how to manage event logs using Windows PowerShell.
Profile gravatar of Jeffery Hicks

Jeffery Hicks

Jeffery Hicks is a multi-year Microsoft MVP in Windows PowerShell, Microsoft Certified Professional and an IT veteran with 25 years of experience specializing in automation. He works today as an author, trainer and consultant.
Profile gravatar of Jeffery Hicks

Before we get to that, let me point out that most everything I’m going to discuss can be configured with Group Policy. If you think that topic merits coverage on the site, be sure to leave a comment and let me know. But, I also realize there are many shops that still don’t use Group Policy. Or you may have some servers that don’t fall into a scope of management. In these situations, PowerShell can help. All you need is PowerShell 2.0 with remoting enabled and management access via WMI.

We are also only going to focus on classic Event Logs like System and Application. These are the ones that tend to need the most attention anyway.

Checking limits ^

The first thing is to see what you have so far using the Get-Eventlog cmdlet. The cmdlet has –List parameter which does exactly what it says: it lists current Event Log information.

With this command I am listing all the Event Logs on CHI-DC01.

List event logs

List Event Logs

As with many things in PowerShell, the information displayed is not necessarily reflective of the underlying object properties. In this case, many of the table headings are customized and the values calculated. To retrieve a single log, you will need to pipe the command to Where-Object.

If we can do it for 1 we can do it for 2 or 200. Let’s check the System Event Log on all my domain controllers.

In this command I’m using the actual property names and a calculated property for the number of entries. You can see the results.

Check the System event log on multiple computers

Check the System Event Log on multiple computers

You can also get similar information using WMI, including some additional information not available with Get-Eventlog.

The WMI class includes file system information so I can calculate how much of the log is being used. My expression is piping the output to Out-Gridview to make it easier to see which would be especially if looking at many servers. The other perk is that it is easier to sort simply by clicking on a column heading as I’ve done here.

System Event Log Summary

System Event Log Summary

Looks like the log on CHI-DC02 needs some attention. I’ll eventually get to that.

Setting new limits ^

Now that I know what I have, I can change it with Limit-Eventlog. I want to set the size of the system event log to 32MB, overwrite older entries and retain for 21 days. Options for the OverflowAction are DoNotOverwrite, OverwriteAsNeeded, and OverwriteOlder. The maximum size limit must be between 64K and 4GB and divisible by 64KB. Also, please be aware that modifying event log limits might mean the loss of Event Log entries so plan accordingly.

To make things easier I’m going to create a hash table of parameters that I can splat to Limit-Eventlog.

Unfortunately, using multiple computer names appears to be slightly buggy. So instead I’ll process each computer individually in a ForEach loop which gives me the added benefit of tracking progress.

And just like that I’ve configured the System Event Log on 3 servers in literally seconds.

Setting Limit-Eventlog on multiple computers

Setting Limit-Eventlog on multiple computers

Summary ^

You could scale these techniques to configure multiple Event Logs on many, many servers and desktops. I encourage you to read the full help and examples for all the cmdlets I’ve used in this article. Next time we’ll look at backing up an Event Log using PowerShell so that ultimately we can clear it out.

Win the monthly 4sysops member prize for IT pros


Articles in series

Event Log and PowerShell

1 Comment
  1. avatar
    David Homer 12 months ago

    Hi, I know you're not talking Group Policy specifically but it seems the settings can be very misleading when Group Policy is used

    If you've set the size, the Event Viewer UI seems to throw a confusing error and the PowerShell cmdlets and WMI classes both report the registry values *not* the policy values which are enforced. Which is pretty poor really.




Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2017

Log in with your credentials


Forgot your details?

Create Account