Event logs are terrific management tools, but they themselves require a little attention every now and then. You may need to configure a log to control size and number of entries. Many IT Pros probably accept the default values and don’t think much about it. But for the rest of you, let me demonstrate over the course of a few articles on how to manage event logs using Windows PowerShell.

Before we get to that, let me point out that most everything I’m going to discuss can be configured with Group Policy. If you think that topic merits coverage on the site, be sure to leave a comment and let me know. But, I also realize there are many shops that still don’t use Group Policy. Or you may have some servers that don’t fall into a scope of management. In these situations, PowerShell can help. All you need is PowerShell 2.0 with remoting enabled and management access via WMI.

We are also only going to focus on classic Event Logs like System and Application. These are the ones that tend to need the most attention anyway.

Checking limits

The first thing is to see what you have so far using the Get-Eventlog cmdlet. The cmdlet has –List parameter which does exactly what it says: it lists current Event Log information.

PS C:\> get-eventlog -list -ComputerName chi-dc01

With this command I am listing all the Event Logs on CHI-DC01.

List event logs

List Event Logs

As with many things in PowerShell, the information displayed is not necessarily reflective of the underlying object properties. In this case, many of the table headings are customized and the values calculated. To retrieve a single log, you will need to pipe the command to Where-Object.

PS C:\> get-eventlog -list -ComputerName chi-dc01 | where {$_.log -eq 'system'}

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  16,384     30 OverwriteOlder        33,712 System

If we can do it for 1 we can do it for 2 or 200. Let’s check the System Event Log on all my domain controllers.

PS C:\> get-eventlog -list -ComputerName chi-dc01,chi-dc02,chi-dc04 | where {$_.log -eq 'system'} | Select Machinename,Log,MaximumKilobytes,MinimumRetentionDays,@{Name="Entries";Expression={$_.Entries.count}},OverflowAction | format-table –auto

In this command I’m using the actual property names and a calculated property for the number of entries. You can see the results.

Check the System event log on multiple computers

Check the System Event Log on multiple computers

You can also get similar information using WMI, including some additional information not available with Get-Eventlog.

$logs = Get-WmiObject Win32_NTEventlogfile -filter "logfilename='system'" -computer chi-dc01,chi-dc02,chi-dc04
$logs | Select @{Name="Computername";Expression={$_.CSName}},LogFileName,
@{Name="PercentUsed";Expression={ ($_.filesize/$_.maxfilesize)*100 -as [int]}},
@{Name="Modified";Expression={$_.ConvertToDateTime($_.Lastmodified)}} |
Out-GridView -title "System Event Log Summary"

The WMI class includes file system information so I can calculate how much of the log is being used. My expression is piping the output to Out-Gridview to make it easier to see which would be especially if looking at many servers. The other perk is that it is easier to sort simply by clicking on a column heading as I’ve done here.

System Event Log Summary

System Event Log Summary

Looks like the log on CHI-DC02 needs some attention. I’ll eventually get to that.

Setting new limits

Now that I know what I have, I can change it with Limit-Eventlog. I want to set the size of the system event log to 32MB, overwrite older entries and retain for 21 days. Options for the OverflowAction are DoNotOverwrite, OverwriteAsNeeded, and OverwriteOlder. The maximum size limit must be between 64K and 4GB and divisible by 64KB. Also, please be aware that modifying event log limits might mean the loss of Event Log entries so plan accordingly.

To make things easier I’m going to create a hash table of parameters that I can splat to Limit-Eventlog.

$limitParam = @{
  Maximumsize = 32MB
  logname = "System"
  RetentionDays = 21
  OverflowAction = "OverwriteOlder"

Unfortunately, using multiple computer names appears to be slightly buggy. So instead I’ll process each computer individually in a ForEach loop which gives me the added benefit of tracking progress.

$computers = "chi-dc01","chi-dc02","chi-dc04"

foreach ($computer in $computers) {
 Write-Host "Setting limits on $($limitParam.logname) log on $($Computer.ToUpper())" -ForegroundColor Cyan

 #add the computer to the hashtable
 $limitParam.Computername = $computer

 Limit-EventLog @limitParam
 Get-Eventlog -list -computer $computer | where {$_.Log -eq $limitparam.logname}

And just like that I’ve configured the System Event Log on 3 servers in literally seconds.

Setting Limit-Eventlog on multiple computers

Setting Limit-Eventlog on multiple computers


You could scale these techniques to configure multiple Event Logs on many, many servers and desktops. I encourage you to read the full help and examples for all the cmdlets I’ve used in this article. Next time we’ll look at backing up an Event Log using PowerShell so that ultimately we can clear it out.

Articles in seriesEvent Log and PowerShell
1 Comment
  1. David Homer 7 years ago

    Hi, I know you’re not talking Group Policy specifically but it seems the settings can be very misleading when Group Policy is used

    If you’ve set the size, the Event Viewer UI seems to throw a confusing error and the PowerShell cmdlets and WMI classes both report the registry values *not* the policy values which are enforced. Which is pretty poor really.



Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account