I have some specifics requirements for the Windows event logs on Azure VMs. This comes form the need to offload IO, save the event logs somewhere, and archive them instead of overwriting. Yes, I have a SIEM but I have reasons. Anyway, for anyone else that needs to change the following properties:
- Log Path
- Archive the log when full, do not overwrite events
Do this in Powershell, change $LogName to whatever event log you need to change.
$LogName = "Application" mkdir F:\EventLogs mkdir F:\EventLogs\$LogName New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\$LogName" -Name "AutoBackupLogFiles" -Value "1" -PropertyType "DWord" New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\$LogName" -Name "Flags" -Value "1" -PropertyType "DWord" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\$LogName" -Name "File" -Value "F:\EventLogs\$LogName\$LogName.evtx"
The code above will change the location to a folder called EventLogs on an F:\ drive. Make sure to change it to whatever location you need.