[This is preliminary documentation and subject to change.]
The Windows NT Event Log service maintains a section in the Windows NT registry for each log file that it creates. The log file section contains four values and appears under the following hierarchy of keys:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
Eventlog
<name of logfile>
The four values are described in the following table:
Value | Type | Description |
---|---|---|
File | REG_SZ_EXPAND | Path to the log file. This value can include environment variables. |
MaxSize | REG_DWORD | Log file's maximum size in bytes. This value must be between 64 KB and 419,240 KB and can only be incremented in 64 KB chunks. |
Retention | REG_DWORD | Overwrite policy of the log file. |
Sources | REG_MULTI_SZ | List of event sources registered for the log file. |
The Retention value can be set to:
If the log file becomes full and no events are old enough to be overwritten, the log file must be cleared manually; otherwise, new events are discarded until an event becomes old enough to be overwritten.