< Back
Limit-EventLog
Post
NAME Limit-EventLog
SYNOPSIS
Sets the event log properties that limit the size of the event log and the age of its entries.
SYNTAX
Limit-EventLog [-LogName] <String[]> [-ComputerName <String[]>] [-Confirm] [-MaximumSize <Int64>] [-OverflowAction {OverwriteOlder |
OverwriteAsNeeded | DoNotOverwrite}] [-RetentionDays <Int32>] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log
reaches its maximum size. You can use it to limit the event logs on local or remote computers.
The cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get events from logs that use the Windows
Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.
PARAMETERS
-ComputerName <String[]>
Specifies remote computers. The default is the local computer.
Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name (FQDN) of a remote computer. To specify the local
computer, type the computer name, a dot (.), or localhost.
This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Limit-EventLog even if your computer is
not configured to run remote commands.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-LogName <String[]>
Specifies the event logs. Enter the log name (the value of the Log property; not the LogDisplayName) of one or more event logs, separated by
commas. Wildcard characters are not permitted. This parameter is required.
Required? true
Position? 0
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-MaximumSize <Int64>
Specifies the maximum size of the event logs in bytes. Enter a value between 64 kilobytes (KB) and 4 gigabytes (GB). The value must be
divisible by 64 KB (65536).
This parameter specifies the value of the MaximumKilobytes property of the System.Diagnostics.EventLog object that represents a classic event
log.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-OverflowAction <OverflowAction>
Specifies what happens when the event log reaches its maximum size.
The acceptable values for this parameter are:
- DoNotOverwrite: Existing entries are retained and new entries are discarded.
- OverwriteAsNeeded: Each new entry overwrites the oldest entry.
- OverwriteOlder: New events overwrite events older than the value specified by the MinimumRetentionDays property. If there are no events
older than specified by the MinimumRetentionDays property value, new events are discarded.
This parameter specifies the value of the OverflowAction property of the System.Diagnostics.EventLog object that represents a classic event
log.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-RetentionDays <Int32>
Specifies the minimum number of days that an event must remain in the event log.
This parameter specifies the value of the MinimumRetentionDays property of the System.Diagnostics.EventLog object that represents a classic
event log.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
You cannot pip input to this cmdlet.
OUTPUTS
None
This cmdlet does not generate any output.
NOTES
* To use this cmdlet on Windows Vista and later versions of Windows, open Windows PowerShell with the Run as administrator option.
This cmdlet changes the properties of the System.Diagnostics.EventLog object that represents a classic event log. To see the current settings
of the event log properties, type `Get-EventLog -List`.
*
Example 1: Increase the size of an event log
PS C:\\>Limit-EventLog -LogName "Windows PowerShell" -MaximumSize 20KB
This command increases the maximum size of the Windows PowerShell event log on the local computer to 20480 bytes (20 KB).
Example 2: Retain an event log for a specified duration
PS C:\\>Limit-EventLog -LogName Security -ComputerName "Server01", "Server02" -RetentionDays 7
This command ensures that events in the Security log on the Server01 and Server02 computers are retained for at least 7 days.
Example 3: Change the overflow action of all event logs
PS C:\\>$Logs = Get-EventLog -List | ForEach {$_.log}
PS C:\\> Limit-EventLog -OverflowAction OverwriteOlder -LogName $Logs
PS C:\\> Get-EventLog -List
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
15,168 0 OverwriteOlder 3,412 Application
512 0 OverwriteOlder 0 DFS Replication
512 0 OverwriteOlder 17 DxStudio
10,240 7 OverwriteOlder 0 HardwareEvents
512 0 OverwriteOlder 0 Internet Explorer
512 0 OverwriteOlder 0 Key Management Service
16,384 0 OverwriteOlder 4 ODiag
16,384 0 OverwriteOlder 389 OSession Security
15,168 0 OverwriteOlder 19,360 System
15,360 0 OverwriteOlder 15,828 Windows PowerShell
This example changes the overflow action of all event logs on the local computer to OverwriteOlder.
The first command gets the log names of all of the logs on the local computer. The second command sets the overflow action. The third command
displays the results.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?LinkId=821600
Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog
SYNOPSIS
Sets the event log properties that limit the size of the event log and the age of its entries.
SYNTAX
Limit-EventLog [-LogName] <String[]> [-ComputerName <String[]>] [-Confirm] [-MaximumSize <Int64>] [-OverflowAction {OverwriteOlder |
OverwriteAsNeeded | DoNotOverwrite}] [-RetentionDays <Int32>] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log
reaches its maximum size. You can use it to limit the event logs on local or remote computers.
The cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get events from logs that use the Windows
Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.
PARAMETERS
-ComputerName <String[]>
Specifies remote computers. The default is the local computer.
Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name (FQDN) of a remote computer. To specify the local
computer, type the computer name, a dot (.), or localhost.
This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Limit-EventLog even if your computer is
not configured to run remote commands.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-LogName <String[]>
Specifies the event logs. Enter the log name (the value of the Log property; not the LogDisplayName) of one or more event logs, separated by
commas. Wildcard characters are not permitted. This parameter is required.
Required? true
Position? 0
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-MaximumSize <Int64>
Specifies the maximum size of the event logs in bytes. Enter a value between 64 kilobytes (KB) and 4 gigabytes (GB). The value must be
divisible by 64 KB (65536).
This parameter specifies the value of the MaximumKilobytes property of the System.Diagnostics.EventLog object that represents a classic event
log.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-OverflowAction <OverflowAction>
Specifies what happens when the event log reaches its maximum size.
The acceptable values for this parameter are:
- DoNotOverwrite: Existing entries are retained and new entries are discarded.
- OverwriteAsNeeded: Each new entry overwrites the oldest entry.
- OverwriteOlder: New events overwrite events older than the value specified by the MinimumRetentionDays property. If there are no events
older than specified by the MinimumRetentionDays property value, new events are discarded.
This parameter specifies the value of the OverflowAction property of the System.Diagnostics.EventLog object that represents a classic event
log.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-RetentionDays <Int32>
Specifies the minimum number of days that an event must remain in the event log.
This parameter specifies the value of the MinimumRetentionDays property of the System.Diagnostics.EventLog object that represents a classic
event log.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
You cannot pip input to this cmdlet.
OUTPUTS
None
This cmdlet does not generate any output.
NOTES
* To use this cmdlet on Windows Vista and later versions of Windows, open Windows PowerShell with the Run as administrator option.
This cmdlet changes the properties of the System.Diagnostics.EventLog object that represents a classic event log. To see the current settings
of the event log properties, type `Get-EventLog -List`.
*
Example 1: Increase the size of an event log
PS C:\\>Limit-EventLog -LogName "Windows PowerShell" -MaximumSize 20KB
This command increases the maximum size of the Windows PowerShell event log on the local computer to 20480 bytes (20 KB).
Example 2: Retain an event log for a specified duration
PS C:\\>Limit-EventLog -LogName Security -ComputerName "Server01", "Server02" -RetentionDays 7
This command ensures that events in the Security log on the Server01 and Server02 computers are retained for at least 7 days.
Example 3: Change the overflow action of all event logs
PS C:\\>$Logs = Get-EventLog -List | ForEach {$_.log}
PS C:\\> Limit-EventLog -OverflowAction OverwriteOlder -LogName $Logs
PS C:\\> Get-EventLog -List
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
15,168 0 OverwriteOlder 3,412 Application
512 0 OverwriteOlder 0 DFS Replication
512 0 OverwriteOlder 17 DxStudio
10,240 7 OverwriteOlder 0 HardwareEvents
512 0 OverwriteOlder 0 Internet Explorer
512 0 OverwriteOlder 0 Key Management Service
16,384 0 OverwriteOlder 4 ODiag
16,384 0 OverwriteOlder 389 OSession Security
15,168 0 OverwriteOlder 19,360 System
15,360 0 OverwriteOlder 15,828 Windows PowerShell
This example changes the overflow action of all event logs on the local computer to OverwriteOlder.
The first command gets the log names of all of the logs on the local computer. The second command sets the overflow action. The third command
displays the results.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?LinkId=821600
Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog