Windows

Get-EventLog shows wrong maximum size of event logs

While working on EventManager script I've noticed that Get-EventLog is not returning proper values for Maximum File Size. When checking Maximum log size directly it was showing 2TB.

But  the test methods I used where showing different values.

cls

$Computers = Get-ADDomainController -Filter *
$logs = Get-WmiObject Win32_NTEventlogfile -ComputerName $Computers 
$logsOutput = $logs | Select 
@{Name = "Computername"; Expression = {$_.CSName}}, 
LogFileName, 
FileSize, 
NumberOfRecords, @{Name = "MaxMB"; Expression = {$_.MaxFileSize / 1MB}},
@{Name = "PercentUsed"; Expression = { ($_.filesize / $_.maxfilesize) * 100 -as [int]}},
@{Name = "Created"; Expression = {$_.ConvertToDateTime($_.CreationDate)}},
@{Name = "Modified"; Expression = {$_.ConvertToDateTime($_.Lastmodified)}} 
$results2 = $logsOutput | Select-Object * | Where-Object { $_.LogFileName -eq "Security" }
$results1 = Get-EventLog -List -ComputerName $computers | Select-Object MachineName, MaximumKilobytes, LogDisplayName, OverflowAction | Where-Object { $_.LogDisplayName -eq "Security" }

Write-Host "WMI TEST"
$results2 | Format-Table -AutoSize
Write-Host "Get-EventLog TEST"
$results1 | Format-Table -AutoSize

The Maximum Log File Size reported by Get-EventLog or WMI method is not reporting correct values

Solution

Fortunately there is a way to get proper values. With help of Johan Åkerström who suggested Get-WinEvent I was able to get values I was running for.

$results = @()
foreach ($computer in $computers) {
    $results += Get-WinEvent -ListLog Security -ComputerName $computer | Select MaximumSizeInBytes, FileSize, IsLogFul, LastAccessTime, LastWriteTime, OldestRecordNumber, RecordCount, LogName, LogType, LogIsolation, IsEnabled, LogMode
}

Write-Host "Get-WinEvent TEST"
$results | ft -AutoSize

The results are much better showing proper 2TB MaximumSizeInBytes

This post was last modified on 27 marca, 2018 08:24

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys
Tags: eventevent idevent logsevent viewerget-eventlogget-wineventwin32_nteventlogfile
6 lat ago

Recent Posts

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

2 tygodnie ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

5 miesięcy ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

7 miesięcy ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

8 miesięcy ago

How to Efficiently Remove Comments from Your PowerShell Script

As part of my daily development, I create lots of code that I subsequently comment…

9 miesięcy ago

Unlocking PowerShell Magic: Different Approach to Creating ‘Empty’ PSCustomObjects

Today I saw an article from Christian Ritter, "PowerShell: Creating an "empty" PSCustomObject" on X…

9 miesięcy ago