0

I'm currently using Windows 2008, and would like to view an individual event's size in the Windows Event Log (Application, Security, System logs).

I have tried right clicking and selecting Add/Remove Columns where applicable but there is nothing regarding size of an event.

So is there a way to view an events size?

I may have missed something but googlging led to no avail!

metoyou
  • 103
  • 1
  • 2
  • It's possible, though not with the native Event Viewer... but before I dig up the app I've used in the past... why on earth would you possibly want to? – HopelessN00b Feb 27 '14 at 17:19
  • I'm currently investigating the feasibility of pulling the event logs into Splunk, and the effectiveness of using this tool for these logs. As per our current process the average event size is needed. – metoyou Mar 03 '14 at 10:35
  • Better approach for finding the average size would be total number of events divided by total size, as events do vary in size. – HopelessN00b Mar 03 '14 at 10:51
  • I'm looking at the daily volume, and then the average size of that but we currently have it setup so that the log has a maximum size (varies), and then the oldest is overwritten so taking the average of the total could be slightly misleading. Suppose I could just get the total average, then count per daily volume. – metoyou Mar 03 '14 at 11:08
  • You can always save all events in a given log through the context menu in the event viewer, if you're worried. And, by the way, the maximum event size (and other event log behavior) can be set by GPO to standardize the logging across all your servers, which would make determining the feasibility of centralized logging much easier. – HopelessN00b Mar 03 '14 at 11:31

1 Answers1

1

Per your comments, the best approach is probably going to be to take the size of the event logs divided by the number of events, as events do vary in size, and both measures are easy to obtain.

For the size of the event logs, you can check either the actual files (by default at %SystemRoot%\System32\Winevt\Logs\), or right click on the log in question and select the properties. For the number of events, you can go into the Event Viewer and select all the events, which will tell you how many there are. Divide size by number to get the average size per event.

Having said that, size per event isn't a particularly normal or useful metric. I'd suggest you'd find it more useful to determine the size of logs you generate per day, which you can then extrapolate into decent capacity planning to determine how much disk space you'll need to buy to store whatever retention period's worth of logs you need to keep.

You'll also want keep in mind that redirecting logs from a large number of sources is I/O intensive, so space is not the only consideration - and if you need to reduce the space taken up by your logs, you can always try file and folder compression.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209