Our Blog

Get-EventLog shows wrong maximum size of event logs

While working on EventManager script I've noticed that Get-EventLog is not returning proper values for Maximum File Size. When checking Maximum log size directly it was showing 2TB.

But  the test methods I used where showing different values.


$Computers = Get-ADDomainController -Filter *
$logs = Get-WmiObject Win32_NTEventlogfile -ComputerName $Computers 
$logsOutput = $logs | Select 
@{Name = "Computername"; Expression = {$_.CSName}}, 
NumberOfRecords, @{Name = "MaxMB"; Expression = {$_.MaxFileSize / 1MB}},
@{Name = "PercentUsed"; Expression = { ($_.filesize / $_.maxfilesize) * 100 -as [int]}},
@{Name = "Created"; Expression = {$_.ConvertToDateTime($_.CreationDate)}},
@{Name = "Modified"; Expression = {$_.ConvertToDateTime($_.Lastmodified)}} 
$results2 = $logsOutput | Select-Object * | Where-Object { $_.LogFileName -eq "Security" }
$results1 = Get-EventLog -List -ComputerName $computers | Select-Object MachineName, MaximumKilobytes, LogDisplayName, OverflowAction | Where-Object { $_.LogDisplayName -eq "Security" }

Write-Host "WMI TEST"
$results2 | Format-Table -AutoSize
Write-Host "Get-EventLog TEST"
$results1 | Format-Table -AutoSize

The Maximum Log File Size reported by Get-EventLog or WMI method is not reporting correct values


Fortunately there is a way to get proper values. With help of Johan Åkerström who suggested Get-WinEvent I was able to get values I was running for.

$results = @()
foreach ($computer in $computers) {
    $results += Get-WinEvent -ListLog Security -ComputerName $computer | Select MaximumSizeInBytes, FileSize, IsLogFul, LastAccessTime, LastWriteTime, OldestRecordNumber, RecordCount, LogName, LogType, LogIsolation, IsEnabled, LogMode

Write-Host "Get-WinEvent TEST"
$results | ft -AutoSize

The results are much better showing proper 2TB MaximumSizeInBytes

Tags: , , , , , ,

This is a unique website which will require a more modern browser to work! Please upgrade today!