Hey there, fellow threat hunters! 👋 Today we're talking about something that can bite you when you least expect it - Event Log sizes and retention policies. Because nobody wants to investigate an incident only to find out the logs are gone!

Check Current Log Settings

First, let's see what we're working with:

# Get settings for all logs
Get-WinEvent -ListLog * | 
Where-Object {$_.RecordCount -gt 0} | 
Select-Object LogName, FileSize, MaximumSizeInBytes, RecordCount, LogMode |
Sort-Object FileSize -Descending |
Format-Table -AutoSize

# Or focus on security logs
Get-WinEvent -ListLog Security | 
Select-Object LogName, FileSize, MaximumSizeInBytes, RecordCount, LogMode

Understanding LogMode

The LogMode property tells you what happens when the log is full:

• Circular: Overwrites oldest events (default)
• AutoBackup: Automatically archives and starts new log
• Retain: Keeps events and requires manual clearing
• Archive: Similar to AutoBackup but stops logging when full

Modifying Log Settings

Let's adjust these settings to meet our needs:

# Increase Security log size to 4GB
$maximumSize = 4GB
wevtutil set-log Security /maxsize:$maximumSize

# Or using PowerShell's Limit-EventLog (works for classic Windows logs)
Limit-EventLog -LogName Security -MaximumSize 4GB

# Change retention to AutoBackup
wevtutil set-log Security /retention:true

Checking Available Space

Before setting huge log sizes, check your disk space:

# Get disk space where Windows is installed
Get-WmiObject -Class Win32_LogicalDisk |
Where-Object {$_.DeviceID -eq "C:"} |
Select-Object DeviceID, 
    @{N='FreeSpace(GB)';E={[math]::Round($_.FreeSpace/1GB, 2)}},
    @{N='TotalSpace(GB)';E={[math]::Round($_.Size/1GB, 2)}}

Backup Before Changes

Always backup important logs before making changes:

# Backup Security log
wevtutil export-log Security "C:\Backup\Security_$(Get-Date -Format 'yyyyMMdd').evtx"

You could obviously also use the GUI

Pro Tips

• Monitor log sizes: Set up alerts for when logs are near capacity
• Regular backups: Automate log exports for critical events
• Right-size your logs: Balance between retention needs and disk space
• Check compliance: Some regulations require specific retention periods

Monitoring Script

Here's a simple script to monitor log sizes:

# Monitor logs over 75% full
Get-WinEvent -ListLog * | 
Where-Object {$_.RecordCount -gt 0} |
ForEach-Object {
    $percentFull = ($_.FileSize / $_.MaximumSizeInBytes) * 100
    if ($percentFull -gt 75) {
        [PSCustomObject]@{
            LogName = $_.LogName
            PercentFull = [math]::Round($percentFull, 2)
            MaxSize = [math]::Round($_.MaximumSizeInBytes/1MB, 2)
            CurrentSize = [math]::Round($_.FileSize/1MB, 2)
        }
    }
} |
Format-Table -AutoSize

Wrapping Up

Properly configured log sizes and retention policies are crucial for security monitoring and incident response. Don't wait until it's too late to find out your logs are being overwritten!

Stay safe, and happy hunting! 🕵️‍♂️

P.S. Want to learn more? Check out the official Microsoft documentation:

• PowerShell Limit-EventLog Documentation
• Wevtutil Command Documentation
• Windows Event Log Architecture