Posts

Change Modern Windows Event Log settings with PowerShell

Posted on by Geoff

I may be late to the party, but I just found the cmlets I need to update the properties of modern Windows event logs. The Limit-EventLog cmdlet only works with classic event logs. I want to be able to manage the size of a modern event log, the kind that lives under Applications and Services logs.

Screen clip of the Window Event Viewer window with the "Applications and Services Logs" collection circled in red.
The newer event logs require different PowerShell cmdlets for managing their settings.

To read these logs, we need to use the Get-WinEvent cmdlet, but that doesn’t let us change the properties of a log. The other cmdlet with the WinEvent noun is New-WinEvent, also not helpful.

It turns out that the cmdlets we need are in the PSDiagnostics module, Get-LogProperties and Set-LogProperties. Nice. (Available in Windows PowerShell 5.1 and later).

This will allow us to do something like:

PS C:\> Get-LogProperties 'Microsoft-Windows-Ntfs/Operational'                                                          

Name       : Microsoft-Windows-Ntfs/Operational
Enabled    : True
Type       : Operational
Retention  : False
AutoBackup : False
MaxLogSize : 33554432

or

PS C:\> (Get-LogProperties 'Microsoft-Windows-Ntfs/Operational').MaxLogSize / 1MB                                       32

And you can use the Set-LogProperties cmdlet (running as admin) to change these settings. But the only two parameters are -force and -LogDetails. So first, you need to save the output of Get-LogProperties to a variable, change the properties you want to modify with the new values, and then provide this variable as input to Set-LogProperties.

Like so:

# Store Log Propertied in variable
PS C:\> $ntfslog = Get-LogProperties 'Microsoft-Windows-Ntfs/Operational'

# Confirm the ibject type
PS C:\> $ntfslog.GetType()                                                                    
IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     False    LogDetails                               System.Object

# Set the new desired log szie value in the variable
PS C:\> $ntfslog.MaxLogSize = 40MB

# Supply the variable with the new size as the input to the Set- cmdlet
PS C:\> Set-LogProperties -LogDetails $ntfslog

# Checking our work
PS C:\> Get-LogProperties 'Microsoft-Windows-Ntfs/Operational'                                

Name       : Microsoft-Windows-Ntfs/Operational
Enabled    : True
Type       : Operational
Retention  : False
AutoBackup : False
MaxLogSize : 41943040

PS C:\> (Get-LogProperties 'Microsoft-Windows-Ntfs/Operational').MaxLogSize / 1MB
40
,
Geoff
Sr. System Administrator at the University of Vermont