Event logs in Windows platforms offer invaluable insight into system operations and potential issues. As such, IT professionals need a way to adjust these logs’ sizes to accommodate different requirements. This article delves into a PowerShell script designed specifically for those wondering how to increase event log file size, ensuring systems are always under proper surveillance.
Background
PowerShell, Microsoft’s task automation framework, has become an indispensable tool for IT professionals globally. Among its numerous capabilities is the ability to modify system configurations, including the size of Event Logs. As systems generate vast amounts of logs over time, having the ability to adjust the storage capacity of these logs is crucial for Managed Service Providers (MSPs) and IT administrators.
The Script
#Requires -Version 5.1
<#
.SYNOPSIS
Changes the max size for the specified Event Logs.
.DESCRIPTION
Changes the max size for the specified Event Logs.
Common log names used: Security, Application, System
To get a list of Event Log names from your system you can run:
Get-WinEvent -ListLog * | Select-Object LogName
.EXAMPLE
-LogName Security -MaxSize 50MB
Changes the max log size for Security to 50MB
.EXAMPLE
-LogName Security, Application, System -MaxSize 50MB
Changes the max log size for Security, Application, and System to 50MB
.OUTPUTS
None
.NOTES
Windows 10 defaults to 20MB / 20480KB
Minimum OS Architecture Supported: Windows 10, Windows Server 2016
Release Notes:
Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>
[CmdletBinding(SupportsShouldProcess)]
param (
# Event Log name
# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/limit-eventlog?view=powershell-5.1#-logname
[Parameter(Mandatory = $true)]
[ValidateScript(
{
if ( -not $($_ | Where-Object { $_ -in $(Get-WinEvent -ListLog * | Select-Object LogName).LogName }) ) {
throw "$_ is not a valid Event Log Name."
}
else {
$true
}
}
)]
[String[]]
$LogName,
# The max size of the event log storage in KB.
# Use KB, MB, or GB after your number like 111MB for example.
[Parameter(Mandatory = $true)]
[Int64]
[ValidateRange(64KB, 4GB)]
$MaxSize
)
begin {
function Test-IsElevated {
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)
$p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
}
if (-not (Test-IsElevated)) {
Write-Error -Message "Access Denied. Please run with Administrator privileges."
exit 1
}
"Used Parameters:"
$(
$PSBoundParameters.Keys | ForEach-Object {
$Key = $_
$Value = $PSBoundParameters["$_"] -join ', '
"-$Key $Value"
}
) -join ' '
# Look for Event log names that don't exist
if ($($LogName | ForEach-Object { $_ -notin $(Get-WinEvent -ListLog * | Select-Object LogName).LogName })) {
$InvalidLogNames = $LogName | Where-Object { $_ -notin $(Get-WinEvent -ListLog * | Select-Object LogName).LogName }
Write-Error "Invalid Log Names Found."
Write-Host "Invalid Log Names: $($InvalidLogNames -join ', ')"
exit 1
}
"Current Log Sizes:"
Get-WinEvent -ListLog $LogName | Select-Object LogName, MaximumSizeInBytes | ForEach-Object {
"$($_.LogName): $($_.MaximumSizeInBytes / 1024)KB"
}
}
process {
if ($PSCmdlet.ShouldProcess($($LogName -join ','), "Limit-EventLog")) {
Limit-EventLog -LogName $LogName -MaximumSize $MaxSize -ErrorAction Stop
# -ErrorAction Stop will exit and return an exit code of 1
"Changed Log Sizes to:"
Get-WinEvent -ListLog $LogName | Select-Object LogName, MaximumSizeInBytes | ForEach-Object {
"$($_.LogName): $($_.MaximumSizeInBytes / 1024)KB"
}
}
else {
# If -WhatIf was used then print out what the changes would have been.
"Would have changed the max log size(s) of: $($LogName -join ',') to $($MaxSize / 1024)KB"
}
}
end {}
Access 300+ scripts in the NinjaOne Dojo
Detailed Breakdown
The script begins by validating its environment requirements. Then, it does the following:
- Parameter Definitions: Parameters for specifying the log names ($LogName) and the desired maximum size ($MaxSize) are established.
- Elevation Check: A function, Test-IsElevated, is used to ensure the script runs with administrative privileges, a necessity for modifying event log properties.
- Log Name Validation: The script validates that the provided log names exist on the system using the Get-WinEvent cmdlet.
- Display Current Sizes: Before making any changes, the script displays the current sizes of the specified logs.
- Size Adjustment: If validation passes and user approval is obtained (with the $PSCmdlet.ShouldProcess check), the Limit-EventLog cmdlet adjusts the log sizes to the desired value.
Potential Use Cases
Case Study: Imagine an IT admin for a large corporation where critical applications produce copious logs daily. Regularly, the Application log fills up, causing newer events to overwrite older ones. Using this script, the admin can easily increase the size of the Application log to ensure important data isn’t lost.
Comparisons
Traditionally, increasing an event log’s size involved navigating through the Event Viewer GUI, right-clicking the desired log, selecting ‘Properties’, and then adjusting the size. The script offers an automated, efficient, and error-reducing alternative. It also enables batch adjustments, a capability not easily achieved with manual methods.
FAQs
- Can I use this script to reduce log size?
Yes, specify a size smaller than the current one. - What happens if I specify an invalid log name?
The script performs validation and will provide an error message, then terminate. - What if I want to see what the script does without making changes?
Use the -WhatIf switch when executing, and the script will display the actions without executing them.
Implications
While increasing log sizes can ensure vital data retention, it also has storage implications. If system drives are near capacity and logs are expanded significantly, it might result in out-of-space issues. Moreover, larger log files can slightly impact the speed of certain log queries.
Recommendations
- Regularly monitor your storage after increasing log sizes.
- Only adjust log sizes when necessary and have a clear understanding of why.
- Always keep logs, especially the Security log, in a monitored state to identify potential security threats.
Final Thoughts
For MSPs and IT professionals, tools like NinjaOne can be crucial when dealing with log management and related tasks. NinjaOne, integrated with scripts like the one discussed, can further streamline system management, making it easier than ever to ensure system health and security.
