Export (0) Print
Expand All

Configuring Event Log Properties

Microsoft® Windows® 2000 Scripting Guide

Depending on the role played by a computer, you might need to change the default event log settings for that computer. If the default settings remain unchanged for all the computers in an organization, a domain controller that records thousands of events each day will be configured exactly the same as a workstation that records only 15 or 20 events a day. As a result, the domain controller might fail to record a number of important events, either because its event logs fill up too quickly or because some events might be overwritten before they can be archived.

Event log properties have typically been configured by means of the Event Viewer, a graphical user utility that has two major limitations: Event Viewer can configure only one event log on a single computer at a time, and Event Viewer cannot automate the process of configuring event logs. Because manually configuring event logs on an individual basis can be very time-consuming, administrators often leave the default settings as-is, even if those settings are not optimal for the roles played by certain computers. In turn, this means important events might not be recorded, or might be overwritten before they can be archived.

WMI enables you to write scripts that can programmatically configure event log properties. Two of the most important properties are shown in Table 12.3.

Table 12.3 Event Log Properties Configurable with WMI

Property

Description

MaxfileSize

Maximum allowable size (in bytes) for the event log.

Log files must be sized in increments of 64 KB to prevent file fragmentation. Although you can specify any size for the log file, this will automatically be resized to the nearest multiple of 64 KB. For example, if you specify a file size of 2,200 KB, the actual size will turn out to be 2,240 KB (35 x 64 KB).

OverwriteOutdated

Number of days after which a record can be overwritten when an event log reaches its maximum size. Values are the following:

  • 0 - any record can be overwritten if needed

  • 1365 - events older than the specified number of days can be overwritten as needed

  • 4294967295 - no records can be overwritten

When you reconfigure an event log, the changes you make do not take effect until the event log has been cleared. If you want the reconfiguration to take effect immediately, create your script to first reconfigure and then to back up and clear the event log.

Scripting Steps

Listing 12.4 contains a script that configures the maximum size and the overwrite policy for all the event logs on a computer. To carry out this task, the script must perform the following steps:

  1. Create a constant named wbemFlagUseAmendedQualifiers and set the value to &h2000.

    This constant is required when using the Put_ method to apply changes to an event log.

  2. Create a variable to specify the computer name.

  3. Use a GetObject call to connect to the WMI namespace root\cimv2, and set the impersonation level to "impersonate."

    The Security privilege is included in the moniker so that the script can access all the event logs, including the Security event log.

  4. Use the ExecQuery method to query the Win32_NTEventLogFile class. This returns a collection consisting of all the event logs on the computer.

  5. Retrieve the name of the first event log in the connection.

  6. Set the maximum file size to 400 megabytes (approximately 4194304).

  7. Set the overwrite policy so that all records older than 14 days are overwritten.

  8. Use the Put_ method to write the changes to the event log. You must include the wbemFlagUseAmendedQualifiers flag, or the script will fail.

  9. Repeat the process with the next event log in the collection.

Listing 12.4 Configuring Event Log Properties

  
1
2
3
4
5
6
7
8
9
10
11
12


Const wbemFlagUseAmendedQualifiers = &h20000
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=impersonate,(Security)}!\\" & _
 strComputer & "\root\cimv2")
Set colNTEventLogFiles = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_NTEventLogFile")
For each objNTEventLogFile in colNTEventLogFiles
 objNTEventLogFile.MaxFileSize = 4194304
 objNTEventLogFile.OverwriteOutDated = 14
 objNTEventLogFile.Put_ wbemFlagUseAmendedQualifiers
Next

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft