Understanding event logging options
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Understanding event logging options
Using Event Viewer, you can define logging parameters for each kind of event log. To define parameters, right-click a log in the console tree, and then click Properties. On the General tab, you can set the maximum size of the log and specify whether the events are overwritten or stored for a certain period of time.
The default logging policy is that if a log is full, the oldest events are deleted to make room for new events, provided events are at least seven days old. You can customize this policy, or event log wrapping options, for different logs.
Event log wrapping options include the following.
| Use | To |
|---|---|
Overwrite events as needed |
Have new events continue to be written when the log is full. Each new event replaces the oldest event in the log. This option is a good choice for low-maintenance systems. |
Overwrite events older than [x] days |
Retain the log for the number of days you specify before overwriting events. The default is seven days. This option is the best choice if you want to archive log files weekly. This strategy minimizes the chance of losing important log entries and at the same time keeps log sizes reasonable. |
Do not overwrite events |
Clear or archive the log manually rather than automatically. Select this option only if you cannot afford to miss an event (for example, for the security log at a site where security is extremely important). |
You can also use Group Policy to set the maximum log sizes and log wrapping options, as well as set access permissions on event logs. For more information, see Settings for Event Logs.
Application and system logging start automatically when you start the computer. For information about configuring security logging, see Auditing Security Events.
Notes
To perform these procedures, you must be a member of the Administrators group, or have been delegated the appropriate authority, on the local computer. As a security best practice, consider using Run as to perform these procedures. For more information, see Default local groups, Default groups, and Using Run as.
For information about how to set event logging options using Event Viewer, see Set event logging options.