While working on EventManager script I've noticed that Get-EventLog is not returning proper values for Maximum File Size. When checking Maximum log size directly it was showing 2TB.
But the test methods I used where showing different values.
cls
$Computers = Get-ADDomainController -Filter *
$logs = Get-WmiObject Win32_NTEventlogfile -ComputerName $Computers
$logsOutput = $logs | Select
@{Name = "Computername"; Expression = {$_.CSName}},
LogFileName,
FileSize,
NumberOfRecords, @{Name = "MaxMB"; Expression = {$_.MaxFileSize / 1MB}},
@{Name = "PercentUsed"; Expression = { ($_.filesize / $_.maxfilesize) * 100 -as [int]}},
@{Name = "Created"; Expression = {$_.ConvertToDateTime($_.CreationDate)}},
@{Name = "Modified"; Expression = {$_.ConvertToDateTime($_.Lastmodified)}}
$results2 = $logsOutput | Select-Object * | Where-Object { $_.LogFileName -eq "Security" }
$results1 = Get-EventLog -List -ComputerName $computers | Select-Object MachineName, MaximumKilobytes, LogDisplayName, OverflowAction | Where-Object { $_.LogDisplayName -eq "Security" }
Write-Host "WMI TEST"
$results2 | Format-Table -AutoSize
Write-Host "Get-EventLog TEST"
$results1 | Format-Table -AutoSize
The Maximum Log File Size reported by Get-EventLog or WMI method is not reporting correct values
Solution
Fortunately there is a way to get proper values. With help of Johan Åkerström who suggested Get-WinEvent I was able to get values I was running for.
$results = @()
foreach ($computer in $computers) {
$results += Get-WinEvent -ListLog Security -ComputerName $computer | Select MaximumSizeInBytes, FileSize, IsLogFul, LastAccessTime, LastWriteTime, OldestRecordNumber, RecordCount, LogName, LogType, LogIsolation, IsEnabled, LogMode
}
Write-Host "Get-WinEvent TEST"
$results | ft -AutoSize
The results are much better showing proper 2TB MaximumSizeInBytes
