Managing Event Logs

  • Article

Microsoft® Windows® 2000 Scripting Guide

The Event service is an integral part of Windows 2000. Each time a Windows 2000-based computer is started, the Event service automatically begins recording events in the appropriate event logs, even if no one is logged on to the computer. In fact, the first event in the System event log is always a record that the Event service has been started.

The Event service is so integral to the operating system that it cannot be stopped except by turning off the computer.

Note

  • The fact that the Event service cannot be stopped is a security measure: This prevents someone from stopping the service, carrying out an action, and then restarting the service. An administrator could carry out an action and then clear the event log, thus deleting all traces of that action, but the act of clearing the event log would be recorded as the first record in the new log.

The Event service is fully automated; you cannot stop it or start it, and you should never attempt to reconfigure it. Although the Event service is self-managing, at least two important management tasks are related to the event logs themselves: managing the size of event logs and backing up event logs.

Managing the Size of Event Logs

By default, event logs are configured for a maximum file size of 512 KB and are set to overwrite events that are older than seven days. When the log reaches its maximum size, any events older than seven days are overwritten to allow room for new records unless you reconfigure the maximum size of the log or the overwrite policy.

These default settings are adequate for user workstations and for small servers that conduct relatively little activity. However, these values might not be appropriate for servers such as domain controllers. For example, 512 KB is likely to be too small a log size based on the number of events that are recorded each day on a domain controller.

Backing Up Event Logs

To help maintain a historical record of events, you should back up your event logs on a regular schedule. However, you cannot back up event logs by using a standard backup process; this creates archived event logs that cannot be opened. Instead, to back up event logs, you must use a special backup procedure. Fortunately, this procedure is available through Windows Management Instrumentation (WMI).