Someone came up with a really good question today in the MSDN forums.
When I am creating an event log I would like to configure overwriting for it ...
This is the best I could come up with.... Does anyone know of a WMI solution? I could not find one and frankly the concept of configuring this directly though the registry scares me!
The framework does not seem to have an abstraction for it but some quick research brought up the following ... it appears to be controlled by a registry key (note the retention key). I would imagine there might also be a WMI interface to this but could not locate one.
here is a c/p of the info.
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventLog
|
| Registry value |
Description |
| CustomSD |
For more information, see Event Logging Security. |
| DisplayNameFile |
Name of the file that stores the localized name of the event log. The name stored in this file appears as the log name in Event Viewer. If this entry does not appear in the registry for an event log, Event Viewer displays the name of the registry subkey as the log name. This value is of type REG_EXPAND_SZ. The default value is %SystemRoot%system32els.dll. |
| DisplayNameID |
Message identification number of the log name string. This number indicates the message in which the localized display name appears. The message is stored in the file specified by the DisplayNameFile value. This value is of type REG_DWORD. |
| File |
Full-qualified path to the file where each event log is stored. This enables Event Viewer and other applications to find the log files. This value is of type REG_EXPAND_SZ. The default is %SystemRoot%system32configAppEvent.evt. |
| MaxSize |
Maximum size of the log file. This value is of type REG_DWORD and must be 0x10000 to 0xFFFF0000, in 64K increments. The default value is 0x80000 (512K). |
| PrimaryModule |
Name of the subkey that contains the default values for the entries in the subkey for the event source. This value is of type REG_SZ. |
| Retention |
Time interval, in seconds, that records of events are protected from being overwritten. When the age of an event reaches or exceeds thsi value, it can be overwritten. This value is of type REG_DWORD. The default value is 0x93A80 (604,800 seconds or 7 days). If this value is 0, the records are protected until the log reaches its maximum size. If this value is 0xFFFFFFFF, records are never overwritten. When the log file reaches its maximum size, you must clear the log manually; otherwise, new events are discarded. You must also clear the log before you can change its size.
- 00000000 Ö means overwrite messages as needed,
- 604800 Ö equals 7 days = (60 secs * 60 mins * 24 hrs * 7 days),
- FFFFFFFF Ö means Do not Overwrite messages.
|
| Sources |
Names of the applications, services, or groups of applications that write events to this log. Each program listed has a corresponding subkey under the log. This value is of type REG_MULTI_SZ. |