Friday, 27 December 2013

Limitations in Win32_NTEventLogFile when reading "Archive the log when full, do not overwrite events"

It seems sometimes that the WMI classes are often ignored when Microsoft adds new functionality to the management functions on Windows machines.

I've noticed that there are several Event Log settings not supported by the Win32_NTEventLogFile WMI class.

One such option is the ability to set and read the overwrite method "Archive the log when full, do not overwrite events" from the class.

This setting is a combination of the OverwriteOutDated property and also the following registry key

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Name
AutoBackupLogFiles

When the registry value is set to a non-zero value this option is enabled.

The following whiteboard shows how the WMI value and registry key value work together for the various options in the user interface.

The ability to audit the event log has been updated in our Server Audit Tool XIA Configuration Server v6

More information can be found here
http://david-homer.blogspot.co.uk/2013/12/document-event-log-configuration.html




No comments:

Post a Comment