Modify the configuration of a log. Usage: wevtutil { sl | set-log } /OPTION:VALUE /OPTION:VALUE . String that uniquely identifies ...

Modify the configuration of a log.

Usage:

wevtutil { sl | set-log }  [/OPTION:VALUE [/OPTION:VALUE] ...]


String that uniquely identifies a log. If option /c is specified,  
should not be specified since it is read from the config file.

Options:

You can use either the short (for example, /e) or long (for example, /enable) 
version of the option names. Options and their values are not case-sensitive.

/{e | enabled}:[true|false]
Enable or disable a log.

/{q | quiet}:[true|false]
Quiet display option. No prompts or messages are displayed to the user. If not 
specified, the default is true. 

/{fm | filemax}:
Set Maximum number of enablements across which to preserve events, where  is 
an integer between 1 and 16. One file is created for each enablement, so if this 
value is 2, events will be produced from the last two enablements. A reboot 
counts as disabling and then re-enabling the channel. 
  
/{i | isolation}:[system|application|custom]
Log isolation mode. The isolation mode of a log determines whether a log shares 
a session with other logs in the same isolation class. If you specify system 
isolation, the target log will share at least write permissions with the System 
log. If you specify application isolation, the target log will share at least 
write permissions with the Application log. If you specify custom isolation, you 
must also provide a security descriptor by using the /ca option.

/{lfn | logfilename}:VALUE
Log file name. VALUE is the full path to the file where the Event Log service 
stores events for this log.

/{rt | retention}:[true|false]
Log retention mode. The log retention mode determines the behavior of the Event 
Log service when a log reaches its maximum size. If an event log reaches its 
maximum size and the log retention mode is true, existing events are retained and 
incoming events are discarded. If the log retention mode is false, incoming 
events overwrite the oldest events in the log.

/{ab | autobackup}:[true|false]
Log autobackup policy. If autobackup is true, the log will be backed up 
automatically when it reaches the maximum size. In addition, if autobackup is 
true, retention (specified with the /rt option) must be set to true.

/{ms | maxsize}:
Maximum size of log, where  is the number of bytes. Note that the minimum 
value for  is 1048576 (1024KB) and log files are always multiples of 64KB, so 
the specified value will be rounded accordingly.

/{l | level}:
Level filter of log, where  is any valid level value. Only applicable to logs 
with a dedicated session. You can remove a level filter by setting  to 0.

/{k | keywords}:VALUE
Keywords filter of log. VALUE can be any valid 64 bit keyword mask. Only 
applicable to logs with a dedicated session.

/{ca | channelaccess}:VALUE
Access permission for an event log. VALUE is a security descriptor specified
using the Security Descriptor Definition Language (SDDL). Search MSDN
(http://msdn.microsoft.com) for information about SDDL format.

/{c | config}:VALUE
Path to the config file, where VALUE is the full file path. If specified, log 
properties will be read from this config file. If this option is specified, you 
must not specify the  command line parameter. The log name will be read 
from the config file.

Example:

The following example sets retention, autobackup and maximum log size on the 
Application log by using a config file. Note that the config file is an XML file 
with the same format as the output of wevtutil gl  /f:xml.

C:\config.xml


  
    true
    true
    9000000
  
  
  


wevtutil sl /c:config.xml