Recommended settings for event log sizes in Windows

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

INTRODUCTION
The following table lists the recommended event log sizes for different versions of Windows Server 2003 and Windows Server 2008.
Operating systemRecommended maximum size for each log (kilobytes)Recommended maximum total size for all logs (kilobytes)Approximate maximum logging rate (events per second)Recommended maximum log size to view (kilobytes)
Windows Server 2003, 32-bit versions300,000300,032 1,000300,000
Windows Server 2003, 64-bit versions4,194,24016,776,9605,0004,194,240
Windows Server 2008, 32-bit versions4,194,24016,776,9602,0004,194,240
Windows Server 2008 and newer, 64-bit versions4,194,24016,776,9605,0004,194,240
Windows XP, 32-bit Versions300,000300,0321,000300,000
Windows XP, 64-bit versions4,194,24016,776,9605,0004,194,240
Windows Vista and newer, 32-bit versions4,194,24016,776,9602,0004,194,240
Windows Vista and newer, 64-bit versions4,194,24016,776,9605,0004,194,240
Notes
  • Log sizes should be decided on an as needed basis up to the maximum individual and combined log size.
  • The recommended maximum event log sizes for 64-bit versions of Windows Server 2003 apply to Windows Server 2003 Service Pack 2-based computers that have hotfix 931304 installed.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
931304 Windows Server 2003 stops responding when the event log size is larger than the default size
More information

Notes on Windows Server 2003 and Windows XP event logs

If an event log in Windows Server 2003 or Windows XP is near its recommended maximum logging rate, some events may not be logged.

By default, the event log files in Windows Server 2003 and Windows XP are located in the following folder:
%WinDir%\System32\Config
To relocate the event log files to a specified folder, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey for the log that you want to configure:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\EventLogName
    Note The EventLogName placeholder represents the name of the log that you want to configure. For example, the log can be Application, System, or Security.
  3. Under the registry subkey that you located in step 2, right-click File, and then click Modify.
  4. In the Value data box, type the desired location for the event log, and then click OK.
  5. Exit Registry Editor.
  6. Restart the computer.

Notes on Windows versions beginning Windows Vista and newer

Event log sizes can be larger in Windows Vista and newer compared to Windows Server 2003 and Windows XP. The eventlog engine has been redesigned to improve performance and capacity of eventlogs.

Using the new engine, he event log files are located in the following folder:
%WinDir%\System32\Winevt\Logs
To relocate the event log files to a specified folder, follow these steps:
  1. Open the Server Manager console.
  2. In the console tree, expand Diagnostics, expand Event Viewer, expand Windows Logs, right-click the log that you want to configure, and then click Properties.
  3. In the Log path box, type the desired location for the event log, and then click OK.

    Notes
    • This change takes effect immediately. However, the events that were already logged are still saved in the previous location.
    • If you relocate the event log files to an unavailable disk, the events will be lost.
If you have enabled the Audit: Shut down system immediately if unable to log security audits policy setting, see the following article in the Microsoft Knowledge Base for more information:
823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
References
For more information about these settings in Windows Vista and Windows Server 2008, visit the following Microsoft Web site: For more information about event log policy settings, visit the following Microsoft Web site:
Properties

Article ID: 957662 - Last Review: 08/14/2015 07:24:00 - Revision: 6.1

Windows 10 Pro, released in July 2015, Windows 10 Enterprise, released in July 2015, Microsoft Windows Server 2003 Service Pack 2, Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Windows Web Server 2008, Microsoft Windows XP Professional, Windows Vista Business, Windows Vista Enterprise, Windows Vista Home Premium, Windows Vista Ultimate, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Datacenter, Windows 7 Professional, Windows 7 Enterprise, Windows 7 Ultimate, Windows 8 Pro, Windows 8 Enterprise

  • kbexpertiseinter kbhowto kbinfo KB957662
Feedback