PowerShell Limit-Eventlog

PowerShell Limit-Eventlog Cmdlet

This cmdlet could represent a watershed for using PowerShell to manage computer tasks.  Either you could configure the event logs options with the traditional Event Viewer GUI, or better still, you could master PowerShell's Limit-Eventlog.

PowerShell Limit-Eventlog Topics

• Refresher with Get-Eventlog
• Limit-Eventlog Increases Logsize
• Tactics for Event Log Settings
• Limit-Eventlog -OverflowAction
• Real-life Windows Write-Eventlog

 ♣

Refresher with Get-Eventlog

The eventlog family of PowerShell cmdlets work very well together.  Mostly I start with Get-Eventlog, because here is where I remind myself of the precise spelling of the logs; I also use Get-Eventlog to display the actual messages.

Action Point:  These days I launch the Windows Event Viewer GUI with PowerShell's Show-Eventlog, my idea is to check that the code in my scripts, matches the what I actually see in the GUI.  Furthermore, we can right click the Application log in the Event Viewer, and examine its properties and get ideas to improve the script.  See screenshot to the right.

Limit-Eventlog Increases Logsize

Perhaps Microsoft should have called it 'Increase-Eventlog'!  Here is a simple method to enlarge the application log, and thus prevent losing old messages.

Script Notes and Ideas for Improvement:

Shock: I was surprised that you have to append Kb to the size in the script.  A pure number such as 20800 won't work, even if it is multiple of 64Kb.  Furthermore, there can be no space after the number and before Kb.

Magic Moment: Despite years of writing scripts, it still gives me a little thrill to see the maximum value change in the GUI from 20480 (default) to 400000 (script).  That said, 40 Mb is rather excessive for a log file!

Supplementary Task: To reduce the log size just change -MaximumSize 40000Kb to a more reasonable size such as 2048Kb.  Just remember to append that Kb, and guess a number that's a multiple of 64.  Finally, don't try to be cute and introduce a thousand separator comma; 2,048Kb or 40,000Kb will just cause errors.

Guy Recommends:  SolarWinds’ Log & Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Tactics for Event Log Settings

It's time to consider our tactics for the Windows Logs so that we can make good decisions.  The crucial question is what should happen when, as inevitably transpires, a log fills to capacity with event records.  My tactic is to set them all to OverWriteAsNeeded.

The main debate is over the security log settings.  The argument goes that a hacker can cover his tracks by overwriting his nefarious acts by creating so many innocuous records that they overwrite his deeds.  Thus the security log should not be allowed to overwrite.

There is a secondary debate, the question is should you also set the log's RetentionDays?  I think yes.

Limit-Eventlog -OverflowAction

Here is a script that employs a Foreach loop to set both the OverflowAction and the RetentionDays.  The role of the Foreach loop is to provide a conveyor belt of logfiles that Limit-Eventlog then processes.

Note 1: Originally, I appended Invoke-Item so that we can look for changes to the records in the Event Viewer; it helps me to have the appropriate Windows GUI open when I run my PowerShell scripts.  Then I discovered PowerShell has cmdlet for this job called: Show-Eventlog

Limit-Eventlog -OverflowAction (Fancy Version)

Note 2: I have also amended the Foreach loop, let me know which construction you prefer.

Note 3: To make this work for real you need a clear rational of how much information you want to write into various logs:  Application, Windows PowerShell or other.  My aim is just to give you examples of the mechanics and to make you aware of all the parameters that you must consider.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v11.5

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

More Research into PowerShell's Limit-Eventlog

Whenever you discover a new Windows PowerShell command, it benefits from the Get-Help treatment. To see what I mean try:

Get-Help (For Parameter Research)

Note 4: In this instance it reminded me that we can employ the -ComputerName parameter and thus configure Event Log on other machines.

Members of the PowerShell Eventlog Family

Note 5: Clear-Eventlog and Write-Eventlog look interesting.

Guy Recommends: SolarWinds Free Network Bandwidth Monitor

This freeware monitor is great for checking whether your network’s load-balancing is performing as expected, for example, are two interfaces are getting about equal traffic?

It’s easy to install and straightforward to configure. You will soon be running tests to see how much network bandwidth your applications consume.

The GUI has a lovely balance between immediate network traffic data in the middle, combined with buttons to seek related data and configuration settings. Give this monitor a try, it’s free! 

Download your free network bandwidth monitor

Summary of PowerShell Limit-Eventlog

This cmdlet enables you to configure the event logs size and overwrite options without using the eventvwr GUI.  The trickiest part is getting the numbers in the correct format, a multiple of 64 and Kb at the end, for example 20800Kb.

See more PowerShell examples to read, write and list Windows event logs

• PowerShell Home   • Get-Eventlog   • EventVwr -list  • Clear-WinEvent Function   • Remote Eventlog

• PowerShell Limit-Eventlog   • Windows 8 Event Viewer   • Get-WinEvent  • Log Event Manager

• Write-Eventlog (Basic)   • PowerShell Write-Eventlog (Adv)  • PowerShell Clear-Eventlog

Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.