Ever been in a situation where suppose you have been involved in investigating an issue that requires you to grab Windows Event logs from a user’s workstation. But while going through the Event logs, you notice that the log file got overwritten with newer events, purging the previous events which are required for you to trace to the root cause of the issue.
This is expected as, by default, windows event log maximum file size is capped at 20Mb. After it reaches the defined value, it will overwrite the previous events with the latest ones.
You can get this max file size capping info, as usual, from the windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
The below snapshot shows the default max file size limit for the Application event logs. You can see the same for the other standard event log categories namely Hardware Events, Security, and System from their respective nodes.
However, this max file size capping can be changed using local admin privilege on the workstation, or via GPO. Now obviously, we can’t use GPO for cloud-native Intune-managed workstations!
So this blog post here will show you how you can make use of Intune to change the max file size capping of the Windows Event log on the managed workstations.
Table of Contents
Increase the max file size limit of Windows Events logs with Intune
The EventLogService Policy CSP can come to our aid for the purpose.
However, gone are the days of creating custom OMA-URI policies with the introduction of Settings Catalog and MS adding more and more controls to it every month.
So today in this blog post, we will be creating a Settings Catalog policy in Intune (or MEM) to change the max file size capping of 20 MB for the standard Windows Event log files on the workstation to something more, let’s say 100 MB.
Policy creation
On the MEM Admin portal, navigate to Devices -> Windows Devices -> Configuration profiles and click on Create profile to create a profile for Platform -> Windows 10 and later and Profile type -> Settings catalog.
Provide a Name and Description (optional) for the profile being created.
Click on Add settings.
From the settings picker, navigate to Administrative Templates > Windows Components > Event Log Service and for each of the four standard event categories, select the settings named Specify the maximum log file size (KB).
Once you have selected the settings for all the categories (or the categories for which you want to increase the max file size capping), flip the settings to Enabled for that category and put in the required file size calculated in KB.
In the next stage, you can make your assignments (or you can do that later as well post the profile gets created, your way!)
The final stage is reviewing the profile as created so far and once we are satisfied, we just complete the profile creation.
A notification will be received for the successful profile/policy creation.
The policy/profile as created if subjected to active assignment, all we would need to do is check if the policy as created did the thing that it was intended for.
End-result
After doing a few syncs from my test device and checking back at Intune policy reporting, I can see that the policy succeeded for my test device.
This is a good sign, at least Intune is not showing any error.
And from the endpoint, you can open Event Viewer and then from the Log properties, check if the value as configured is being reflected or not.
But it’s not the end…
One thing important to note here is that what we have done till now only works for setting the max size of the four standard Windows Event logs, namely Application, Security, Setup, and System event logs.
The above policy/profile will not help to set the max size for other event logs, such as those under Applications and Services Logs → Microsoft within Event Viewer.
To change the max file size capping limit of other event logs like those under Applications and Services Logs → Microsoft within Event Viewer, there are no equivalent GPO settings, and as such, no equivalent MDM settings as well.
But it can still be controlled via Windows Registry. The different Windows Events channels that form the Events tree other than the 4 standard Windows events can be seen from the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
So if I want to increase or play with the max log file size of say DeviceManagement-Enterprise-Diagnostics-Provider/Operational, all I need to do is find the node for it under the reg_path as mentioned above and see if contains the MaxSize reg_DWORD
key. If yes, I can change the value of the key to the one I want, or if the key is not present, I can create it altogether.
The above snap shows the default log file size for DeviceManagement-Enterprise-Diagnostics-Provider/Operational event logs.
Now I go to the registry and I see that DeviceManagement-Enterprise-Diagnostics-Provider/Operational
node does not contain the MaxSize
reg key by default.
So let’s go ahead a create one like below.
Let’s now open the Event Viewer and check if the change we made has been replicated in reality.
On checking, sure it does the work!
Thus, by adding/modifying the registry key and value, as shown above, you can play with the max file size capping for any event log that you want, other than the standard four Windows Events logs.
For this, you may resort to using a Powershell deployment from Intune, or if license permits, then maybe use the Proactive remediation as well. Not in the scope of this blog post 😅
That’s all for today…
1 Trackback / Pingback
Comments are closed.