On a Windows Server 2008 R2 Standard Edition Domain Controller, with Windows 7 and Windows XP clients, is it "OK" to keep the setting below for Event Log files?
And which setting will apply? Between Maximum log size of 1 GB or Retain Log to 30 days, which will take precedence?
No, you shouldn't set your logs like that, and both will apply. Your
Event Logswill have a maximum size of ~1 GiB, and events will be over written after 30 days. In all likelihood, this means that your logs will never reach the max size, because they'll keep overwriting themselves every 30 days, well before they hit the max size. (Unless you have very detailed logging for everything, then you could conceivably fill up a GiB with logs in 30 days.)Retention by days is really only useful if, as the explanation says, you archive your logs off every
xdays, because then your server Event Logs will only contain events that aren't in the archived copies. That you had to ask the question tells me you're very unlikely to be in such a situation.Instead, you should [probably] set the log files'
Retention methodtoOverwrite event as neededand leave theretain [type] logsetting undefined. When they hit the maximum size, instead of preventing the system from starting up, they'll just overwrite the oldest events.And, by the way, you should read those explanations and other documentation provided. More often than not, it's there and explicitly precisely to prevent you from shooting yourself in the foot for not knowing better.
As confident and well-written as Joe's answer might be-- and I really wanted to believe him, I think he is wrong. I went back and carefully re-read the explanation of these GPO items. Its clear to me that the 'Retain security log' and the 'Retention method . . ' GPO items are clearly targeting EVENTS (individual line items IN a log), not the archived log files themselves (that are created when you select "Archive the log when full, do not overwrite events" in the properties of the event log.)
If you are manually (or programmatically) archiving your logs on a schedule, but you do NOT want to have to go to the log and clear it manually, then of course you would want it to 'start fresh' after each of your archive/backups. Hence, 'Retain Security Log's explanation of "determines number of days' worth of events to be retained . . .' and 'Retention method's '"wrapping" method for the log"' are talking about events, not archives.
Pay absolutely no attention to the guy who recommended leaving your logs to "overwrite as needed". That is horrible, horrible advice. Param, you are on the correct track. Those settings are just fine. The specification in file size for your Event logs is acceptable. a 30-day retention policy is fine, as well - but would depend entirely on your organization's retention policy.
What they guy giving the horrible advice doesn't realize is that the Retention Method setting does not affect the "active" event log file. It only affects the "Archived" event log, which is the retained copy of the event log. Once an event log reaches the designated capacity, Windows makes a copy of the event log and labels it "Archive", then the active event log file is cleared. The retention policy only affects the Archived event log files. You'll need to pay attention to your drive capacity. Depending on how many logs your system generates, it's possible to quickly fill up the drive on which your event logs are located. It is best practice to designate a separate, large-capacity drive and run a backup job of your archived events to that drive.
Overwriting your event logs is a major security concern.