Configuring Event Logs with Group Policy
I was trolling around GP Editor in Windows 8 and found a set of Administrative Template settings that I had not seen before. Interestingly, those setting did indeed exist in Windows 7 (and probably Vista) so it was just me missing them. Prior to those OS releases, if you want to configure Windows Event Logs for things like maximum log size or retention behavior, you traditionally did that from within Security Settings–specifically under Computer Configuration\Policies\Windows Settings\Security Settings\Event Log. However Microsoft added a new Administrative Template way of doing this in Windows Vista and it’s been updated slightly in Windows 8 (at least the names of the policies have changed). These Admin Templates settings are found under Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service as shown below:
What is curious/frustrating about these Admin Template settings are that some of them overlap the Security Settings controls and some of them are unique. For example, you can set maximum log size in both areas–which one wins? Well, after doing some testing, it would appear that the Admin Templates log size control won out over Security Settings–good to know!
In addition, the Admin Templates area contains some rather confusing options, such as the control of retention method. In Security Settings, you can set an overwrite log by days option that is not available in Admin Templates. But Admin Templates does contain a couple of nice options–specifically you can change the location of where the underlying event log files are stored on a system and you can also change the security descriptor on a log file that controls who can access it. Heretofore that required some registry gymnastics to accomplish so that’s a nice feature.
So, which area should you use? Well, certainly don’t use both if you can avoid it and if you have to use both, don’t set overlapping options–that will just confuse things.
Oh, and if you need to control the behavior of event logs other than 4 standard ones– Application, Security, Setup and System, forget it. None of those are supported in either policy area. You’ll have to create custom ADMX files to accomplish this. I did this a while ago with some custom ADM files for Server 2003 to support controlling AD-related logs so you can follow that general approach in newer OS’.