powershellwindows-server

Set Windows Logs max size with Powershell Limit-Eventlog

Aim to script the increase of the default size of all the Windows Logs and change some other properties. Used to do it with wevtutil but can't get this to work in 2016, so switched to Powershell's Limit-Eventlog. Fresh Windows Server 2016 install with latest updates.

Start with the default log properties:

PS> Get-Eventlog -List

+--------+--------+-------------------+---------+------------------------+
| Max(K) | Retain |  OverflowAction   | Entries |          Log           |
+--------+--------+-------------------+---------+------------------------+
|    300 |      0 | OverwriteAsNeeded |   2,599 | Application            |
| 20,480 |      0 | OverwriteAsNeeded |       0 | HardwareEvents         |
|    512 |      7 | OverwriteAsNeeded |       0 | Internet Explorer      |
| 20,480 |      0 | OverwriteAsNeeded |       0 | Key Management Service |
| 20,480 |      0 | OverwriteAsNeeded |  10,390 | Security               |
| 20,480 |      0 | OverwriteAsNeeded |   3,561 | System                 |
| 15,360 |      0 | OverwriteAsNeeded |     360 | Windows PowerShell     |
+--------+--------+-------------------+---------+------------------------+

Change one log at a time, no errors:

PS> Limit-Eventlog -Logname Application -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
PS> Limit-Eventlog -Logname HardwareEvents -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
PS> Limit-Eventlog -Logname "Internet Explorer" -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
PS> Limit-Eventlog -Logname "Key Management Service" -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
PS> Limit-Eventlog -Logname Security -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
PS> Limit-Eventlog -Logname System -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
PS> Limit-Eventlog -Logname "Windows Powershell" -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
PS> Get-Eventlog -List

+---------+--------+-------------------+---------+------------------------+
| Max(K)  | Retain |  OverflowAction   | Entries |          Log           |
+---------+--------+-------------------+---------+------------------------+
| 204,800 |      0 | OverwriteAsNeeded |   2,599 | Application            |
| 204,800 |      0 | OverwriteAsNeeded |       0 | HardwareEvents         |
| 204,800 |      0 | OverwriteAsNeeded |       0 | Internet Explorer      |
| 204,800 |      0 | OverwriteAsNeeded |       0 | Key Management Service |
| 204,800 |      0 | OverwriteAsNeeded |  10,395 | Security               |
| 204,800 |      0 | OverwriteAsNeeded |   3,561 | System                 |
| 204,800 |      0 | OverwriteAsNeeded |     362 | Windows PowerShell     |
+---------+--------+-------------------+---------+------------------------+

I'd like to avoid harcoding the log names. As seen via Get-Help Limit-EventLog -example, there's a better way with ForEach. However, in doing so it seems to apply Limit-Eventlog to the first log only and fail for the remaining 6. Note I've changed the value slightly (200MB to 100MB) so that it's easy to see where it fails.

$Logs = Get-Eventlog -List | Foreach {$_.log} 
 Limit-Eventlog -Logname $Logs -MaximumSize 100MB -OverflowAction OverwriteAsNeeded 
Get-Eventlog -List

+---------+--------+-------------------+---------+------------------------+
| Max(K)  | Retain |  OverflowAction   | Entries |          Log           |
+---------+--------+-------------------+---------+------------------------+
| 102,400 |      0 | OverwriteAsNeeded |   2,606 | Application            |
| 204,800 |      0 | OverwriteAsNeeded |       0 | HardwareEvents         |
| 204,800 |      0 | OverwriteAsNeeded |       0 | Internet Explorer      |
| 204,800 |      0 | OverwriteAsNeeded |       0 | Key Management Service |
| 204,800 |      0 | OverwriteAsNeeded |  10,399 | Security               |
| 204,800 |      0 | OverwriteAsNeeded |   3,563 | System                 |
| 204,800 |      0 | OverwriteAsNeeded |     369 | Windows PowerShell     |
+---------+--------+-------------------+---------+------------------------+

and the 6 errors:

Limit-Eventlog : The value supplied for MaximumSize parameter has to be in the range of 64 KB to 4GB with an increment of 64 KB. Please enter a proper 
value and then retry.
At line:2 char:5
+     Limit-Eventlog -Logname $Logs -MaximumSize 100MB -OverflowAction  ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Limit-EventLog], Exception
    + FullyQualifiedErrorId : ValueOutofRange,Microsoft.PowerShell.Commands.LimitEventLogCommand

Limit-Eventlog : The value supplied for MaximumSize parameter has to be in the range of 64 KB to 4GB with an increment of 64 KB. Please enter a proper 
value and then retry.
At line:2 char:5
+     Limit-Eventlog -Logname $Logs -MaximumSize 100MB -OverflowAction  ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Limit-EventLog], Exception
    + FullyQualifiedErrorId : ValueOutofRange,Microsoft.PowerShell.Commands.LimitEventLogCommand

Limit-Eventlog : The value supplied for MaximumSize parameter has to be in the range of 64 KB to 4GB with an increment of 64 KB. Please enter a proper 
value and then retry.
At line:2 char:5
+     Limit-Eventlog -Logname $Logs -MaximumSize 100MB -OverflowAction  ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Limit-EventLog], Exception
    + FullyQualifiedErrorId : ValueOutofRange,Microsoft.PowerShell.Commands.LimitEventLogCommand

Limit-Eventlog : The value supplied for MaximumSize parameter has to be in the range of 64 KB to 4GB with an increment of 64 KB. Please enter a proper 
value and then retry.
At line:2 char:5
+     Limit-Eventlog -Logname $Logs -MaximumSize 100MB -OverflowAction  ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Limit-EventLog], Exception
    + FullyQualifiedErrorId : ValueOutofRange,Microsoft.PowerShell.Commands.LimitEventLogCommand

Limit-Eventlog : The value supplied for MaximumSize parameter has to be in the range of 64 KB to 4GB with an increment of 64 KB. Please enter a proper 
value and then retry.
At line:2 char:5
+     Limit-Eventlog -Logname $Logs -MaximumSize 100MB -OverflowAction  ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Limit-EventLog], Exception
    + FullyQualifiedErrorId : ValueOutofRange,Microsoft.PowerShell.Commands.LimitEventLogCommand

Limit-Eventlog : The value supplied for MaximumSize parameter has to be in the range of 64 KB to 4GB with an increment of 64 KB. Please enter a proper 
value and then retry.
At line:2 char:5
+     Limit-Eventlog -Logname $Logs -MaximumSize 100MB -OverflowAction  ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Limit-EventLog], Exception
    + FullyQualifiedErrorId : ValueOutofRange,Microsoft.PowerShell.Commands.LimitEventLogCommand
Solution

  • I've tried this two different ways and both work as expected... both are doing the same thing, just using different syntax.

    Passing an array of log names to Limit-Eventlog:

    $Logs = Get-Eventlog -List | select -ExpandProperty Log
Limit-Eventlog -Logname $Logs -MaximumSize 0.5Gb -OverflowAction OverwriteAsNeeded -WhatIf

    And using foreach to pass each Log name individually to Limit-Eventlog:

    $Logs = Get-Eventlog -List | select -ExpandProperty Log
Foreach ($Log in $Logs) {
    Limit-Eventlog -Logname $Log -MaximumSize 0.5Gb -OverflowAction OverwriteAsNeeded -WhatIf
}

    You'll need to remove -WhatIf when not testing.