Windows

Get-EventLog shows wrong maximum size of event logs

While working on EventManager script I've noticed that Get-EventLog is not returning proper values for Maximum File Size. When checking Maximum log size directly it was showing 2TB.

But  the test methods I used where showing different values.

cls

$Computers = Get-ADDomainController -Filter *
$logs = Get-WmiObject Win32_NTEventlogfile -ComputerName $Computers 
$logsOutput = $logs | Select 
@{Name = "Computername"; Expression = {$_.CSName}}, 
LogFileName, 
FileSize, 
NumberOfRecords, @{Name = "MaxMB"; Expression = {$_.MaxFileSize / 1MB}},
@{Name = "PercentUsed"; Expression = { ($_.filesize / $_.maxfilesize) * 100 -as [int]}},
@{Name = "Created"; Expression = {$_.ConvertToDateTime($_.CreationDate)}},
@{Name = "Modified"; Expression = {$_.ConvertToDateTime($_.Lastmodified)}} 
$results2 = $logsOutput | Select-Object * | Where-Object { $_.LogFileName -eq "Security" }
$results1 = Get-EventLog -List -ComputerName $computers | Select-Object MachineName, MaximumKilobytes, LogDisplayName, OverflowAction | Where-Object { $_.LogDisplayName -eq "Security" }

Write-Host "WMI TEST"
$results2 | Format-Table -AutoSize
Write-Host "Get-EventLog TEST"
$results1 | Format-Table -AutoSize

The Maximum Log File Size reported by Get-EventLog or WMI method is not reporting correct values

💡 Solution

Fortunately there is a way to get proper values. With help of Johan Åkerström who suggested Get-WinEvent I was able to get values I was running for.

$results = @()
foreach ($computer in $computers) {
    $results += Get-WinEvent -ListLog Security -ComputerName $computer | Select MaximumSizeInBytes, FileSize, IsLogFul, LastAccessTime, LastWriteTime, OldestRecordNumber, RecordCount, LogName, LogType, LogIsolation, IsEnabled, LogMode
}

Write-Host "Get-WinEvent TEST"
$results | ft -AutoSize

The results are much better showing proper 2TB MaximumSizeInBytes

This post was last modified on June 7, 2025 12:21

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys
Tags: eventevent idevent logsevent viewerget-eventlogget-wineventwin32_nteventlogfile
3 weeks ago

Recent Posts

Supercharging Your Network Diagnostics with Globalping for NET

Ever wondered how to run network diagnostics like Ping, Traceroute, or DNS queries from probes…

1 week ago

Automating Network Diagnostics with Globalping PowerShell Module

Are you tired of manually running network diagnostics like Ping, Traceroute, or DNS queries? The…

1 week ago

Enhanced Dashboards with PSWriteHTML – Introducing InfoCards and Density Options

Discover new features in the PSWriteHTML PowerShell module – including New-HTMLInfoCard, improved layout controls with…

2 weeks ago

Mastering Active Directory Hygiene: Automating SIDHistory Cleanup with CleanupMonster

Security Identifier (SID) History is a useful mechanism in Active Directory (AD) migrations. It allows…

2 weeks ago

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

2 weeks ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

2 weeks ago