Windows event log is full

Overview

In this article, we’ll focus on resolving the issue described as: “The event log file is full. [ERROR_LOG_FILE_FULL (0x5DE)]”. This error, identified by the error code Error Code 1502, can impede your system’s performance, and here’s how you can fix it.

Identifying the Problem

Error Code 1502 occurs when the event log file becomes full, causing the system to be unable to record new events. Common scenarios include:
– Running resource-intensive applications that generate a large volume of events.
– Misconfiguration of event logging settings, such as excessive logging levels or a small log file size.
– Hardware issues, such as a failing hard drive or memory problems.

Common Fixes

Solution 1: Clear the Event Log

1. Open Event Viewer (eventvwr.msc).
2. Navigate to Windows Logs > Application.
3. Right-click on the log file and select “Clear Log”.
4. Repeat for other relevant logs.

Solution 2: Increase the Event Log Size

1. Open Event Viewer (eventvwr.msc).
2. Right-click on the log file and select “Properties”.
3. Under “Log Size”, increase the “Maximum log size” value.
4. Click “OK” to save changes.

Solution 3: Check System Event Logs

1. Open Event Viewer (eventvwr.msc).
2. Navigate to Windows Logs > System.
3. Check for any errors or warnings that may indicate a hardware problem.

Advanced Troubleshooting

Solution 4: Use the Event Log Truncation Utility

1. Download the Event Log Truncation Utility from Microsoft.
2. Run the utility and select the desired log file.
3. Enter a truncation threshold to remove old events.

Solution 5: Reset the Event Logging Service

1. Press Windows Key + R and type “services.msc”.
2. Find the “Event Log” service.
3. Right-click on the service and select “Restart”.

Solution 6: Check Disk Space

1. Open File Explorer and navigate to the location of the event logs (typically C:\Windows\System32\Winevt\Logs).
2. Ensure there is sufficient free disk space.

Conclusion

By following the solutions provided in this article, you should be able to resolve Error Code 1502 (ERROR_LOG_FILE_FULL). Additionally, consider the following tips to prevent future occurrences:
– Configure event logging settings to generate only essential events.
– Regularly clear old event logs.
– Monitor system performance to identify potential issues that could lead to excessive event logging.
– Perform regular maintenance and updates to keep your system functioning optimally.

В журналах событий Windows хранится полезная информация, которая нужна при анализе состояния служб и приложений в Windows, отладки ошибок и аварийный ситуаций, аудите различных событий безопасности. По умолчанию для журналов Event Viewer в Windows заданы максимальные размеры, при достижении которых новые события начинают перезаписывать более старые. Если на вход Event Viewer попадает слишком большое количество событий, может случится, что в журнал помещаются события лишь за последние несколько часов, что может быть не достаточно.

Чтобы предотвратить перезапись старых событий и всегда иметь под рукой события за достаточно большой промежуток времени, вы можете увеличить максимальный размер журналов Event Viewer.

Получить информацию о журналах событий Windows с помощью PowerShell

Файлы журналы событий Windows хранятся в каталог
%SystemRoot%\System32\Winevt\Logs\
в виде файлов с расширением .EVTX. Обратите внимание, что для каждого журнала используется собственный файл. Соответственно, вы можете управлять размерами только того лога Windows, который вам нужен и оставить остальные значения по-умолчанию.

Картинка с сайта: winitpro.ru

Текущие лимиты на все включенные журналы событий в Windows можно вывести с помощью PowerShell:

Get-Eventlog -List

Картинка с сайта: winitpro.ru

Вы можно вывести размер определенного лога с помощью командлета Get-WinEvent. Например, получим текущий и максимальный размер журнала Security:

Get-WinEvent -ListLog Security| Select MaximumSizeInBytes, FileSize, IsLogFull, OldestRecordNumber, IsEnabled, LogMode

Картинка с сайта: winitpro.ru

Суммарный размер паки с файлами журналов событий можно получить с помощью PowerShell:
«{0:N2} MB» -f ((gci c:\windows\System32\Winevt\Logs\| measure Length -s).sum / 1Mb)

Чтобы увеличить максимальный размер лога, можно использовать утилиту wevtutul (новый размер задается в Кб):

wevtutil sl "Application" /ms:200000

Или с помощью PowerShell:

Limit-Eventlog -Logname Application -MaximumSize 200MB -OverflowAction OverwriteOlder

Изменить размер журнала событий из консоли Event Viewer

Проще всего увеличить максимальный размер журнала прямо из консоли Event Viewer.

1. Откройте
   eventvwr.msc
   ;
2. Найдите в консоли свойства нужного журнала и откройте его свойства (например, Security);
3. Задайте ограничение в разделе Maximum log size (KB) и сохраните изменения;
   

   Картинка с сайта: winitpro.ru

4. Здесь же можно изменить поведение при достижение максимального размера:
   Owerwrite events as needed (oldest events first) – этот режим исопльзуется по умолчанию. Новые события просто перезаписывают более старые.
   Archive the log when full, do not owerwrite events – текущий журнал событий при заполнении архивируется в папке \System32\Winevt\Logs\ и новые события записываются в новый evtx файл. Архивные файлы событий можно открыть через меню Open Saved Log в Event Viewer.
   Do not owerwrite events (Clear log manually) – события никогда не перезатираются. Для записи новых событий нужно очистить журнал.

Увеличить размер журнала событий Windows через GPO

Чтобы централизованно управлять размерами журналов событий на компьютерах или серверах в домене Active Directory, можно использовать групповые политики.

1. Запустите консоль Group Policy Management (
   gpmc.msc
   ), создайте новую GPO и назначьте на OU с компьютерами или серверами, для которых вы хотите изменить настройки Event Viewer (или назначьте GPO на корень домена);
2. Перейдите в раздел GPO Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Event Log Service. Как вы видите, в этом ветке есть подразделы для управления базовыми журналами Windows:

   Application
   Security
   Setup
   System

3. Чтобы увеличить максимальный размер любого из журналов, откройте параметр Specify the maximum log file size (KB), включите его и задайте нужный вам размер;
   

   Картинка с сайта: winitpro.ru

4. Обновите настройки политики на клиентах и проверьте, что в свойствах журнала теперь указан новый размер, который вы не можете изменить. При попытке задать другой размер появится ошибка:
   

   Картинка с сайта: winitpro.ru

   Event Viewer
   The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 61440 KB

Обратите внимание, что в описанном выше разделе GPO отсутствуют настройки для других журналов из раздела Applications and Services Logs -> Microsoft.Если вам нужно увеличить размер любого другого журнала событий (кроме стандартного), это можно сделать через реестр. Настройки журналов событий Windows хранятся в разделе реестра HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log_name>. Размер журнала задается с помощью параметра MaxSize (тип REG_DWORD). Вы можете распространить нужное вам значение параметра реестра MaxSize на компьютеры домена с помощью Group Policy Preferences.

Подробнее о настройке ключей и параметров реестра через GPO здесь.

В этом примере мы увеличим размер журнала Directory Service на контроллерах домена. Настройки этого лога хранятся в ветке HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service.

Картинка с сайта: winitpro.ru

1. Откройте GPO и перейдите в раздел Computer Configuration -> Preferences -> Windows Settings -> Registry;
2. Выберите New -> Registry Item;
3. Создайте новый параметр со следующими настройками:

   Hive: HKEY_LOCAL_MACHINE
   Key path: SYSTEM\CurrentControlSet\Services\EventLog\Directory Service
   Value name: MaxSize
   Value type: REG_DWORD
   Value data: 52428800 (значение задается в байтах. В нашем примере это 50 Мб)

   

   Картинка с сайта: winitpro.ru

4. Проверьте, что после обновления GPO на DC увеличится максимальный размер журнала.
   

   Картинка с сайта: winitpro.ru

Например, если вам нужно хранить историю RDP подключений к RDS хосту за продолжительное время, нужно увеличить размер лога Terminal-Services-RemoteConnectionManager.

За счет увеличения размеров журналов событий Windows вы можете получить различную информацию за более длительный промежуток времени. Например, из журналов событий можно получить историю перезагрузок Windows, понять кто удалил файл в сетевой папке или кто изменил NTFS права доступа.

You might be noticing a weird problem in the Windows tool Event viewer indicating that log has crossed the maximum size. Error is “Security log is now full Event ID 1104” which can be frustrating. It means that your Windows system is unable to add new events to the security log as it has reached the utmost capacity. Although this error is not very common, the primal reason for it centers around the event log failure. See – Fix LiveKernelEvent 141 Hardware Error Problem in Windows 11 or 10.

To get rid of Event ID 1104 issue, there are solutions that can help. You can delete or remove entries from the security log or modify the registry to increase the log’s maximum size. Another method is to overwrite the log, but this should be done with caution. In this blog, we’ll explore easy workarounds to help you quickly resolve this issue and get your Windows system back up and running smoothly.

Event ID 1104 The security log is now full

Here is how to Fix Event ID 1104 The security log is now full in Windows 11 or 10 –

Way-1: Restart the Event Viewer Service

Event Viewer is crucial when controlling and comprehending Windows system events as it’s focused on providing a central area for viewing and managing event logs.

Furthermore, it also enables administrators and users to see, filter, and analyze logs in real time, which is important for troubleshooting, monitoring, and maintaining the system’s health and security.  Thus, making it one of the foremost reasons for the Event ID 1104 error on your system. Therefore, restarting the event viewer should help in fixing this issue, and here are the steps to be followed for the same:

1. Press Winkey and R simultaneously.
2. Type – services.msc
3. Select OK.
4. To locate the Windows Event Log on the Services window.
5. Right-click on it and select Restart.

1. Alternatively, if this service is not already running, proceed with the following steps:
2. Double-click on Windows Event Log.
3. In the section labeled Startup type, set it to Automatic using drop-down.
4. Click on Start from Service status.

1. Then select Apply and finally OK.

Way-2: Consider uninstalling the most recent Windows Update

The security log is now full message can also trigger by the latest Windows update as sometimes such updates can include certain defects or compatibility issues. This may impact the components of the system leading to removal of essential system files.

So, it’s quite pivotal to uninstall or remove the most recent update and revert to the prior Windows version that may be enough to solve this problem. Hence, follow the Guidelines –

1. In the Windows search box, type Updates then hit Enter.
2. Navigate to Windows Update and click on it.
3. Selecting the Update history option
4. Choose – Uninstall updates.
5. Click the “Uninstall” for the most recent update.

1. Follow the steps that appear on the screen to complete the procedure.
2. Go back to the Windows update page and click the Pause for one week.
3. Restart your PC.

Read – Fix: “MMC has detected an error in a snap-in” Event Viewer Windows 10.

Way-3: Enable Event Overwriting

Event overwriting is known to grant permission for an update of event information in the event management system of your Windows. However, when specifically addressing the Event ID 1104 issue, it’s best to enable this option. It allows the new events with identical IDs to replace the previous events, rather than the addition of a new ID.

It’s crucial when the details of an event change and the system has to be updated. Thus, it becomes essential to examine the consequences of overwriting such events, since they may lead to the loss of necessary data.

1. Press the Winkey+X.
2. Then, Click on Event Viewer.
3. Double-click on Windows logs.
4. There, select Security.
5. Locate the Properties option on the far right side of the window and click it.

1. Choose the Overwrite events as needed (oldest events first) option from the list that appears in the section labeled When maximum event log size is reached, which should be located at the bottom part of the window.
2. Click Apply then OK.

Way-4: Run System File Checker (SFC)

To repair any problem with System components there is a rescue tool provided by Windows by default that can prevent the generation of Event ID 1104 The security log is now full. Follow the guide and run this –

1. Click Start and type cmd.exe.
2. Select – Run as administrator.
3. Upon A User account control dialog appears, click on Yes.
4. Type the following command –

SFC /Scannow

1. Press Enter and allow the tool to complete its task.
2. Reboot your device.

It is expected that the above-mentioned ways will assist you in resolving the issue of Event ID 1104 “The security log is now full” in Windows 11 or 10. We believe these methods should help you effectively address the issue and prevent it from happening again in the future.

Methods:
Way-1: Restart the Event Viewer Service
Way-2: Consider uninstalling the most recent Windows Update
Way-3: Enable Event Overwriting
Way-4: Run System File Checker (SFC)

That’s all!!

Windows Event Viewer Logs store useful information that is needed when analyzing the status of services and applications in Windows, troubleshooting errors, and auditing security events. By default, the sizes of the Event Viewer logs in Windows are limited and when the file sizes are exceeded, new events begin to overwrite older ones. If too many events are sent to the Event Viewer, only the last few hours of events may be logged, which may not be sufficient for efficient monitoring and log analysis.

To prevent old events from being overwritten, and to ensure that you always have events for a long enough period, you can increase the maximum size of Event Viewer logs.

How to Set Windows Event Log Size with PowerShell?

Windows event log files are stored in the %SystemRoot%\System32\Winevt\Logs\ directory as .EVTX files. Note that there is a separate file for each log. So you can manage the maximum size of only the Windows log you need and leave the default settings for others.

Картинка с сайта: woshub.com

You can use PowerShell to view the current limits for all enabled Event Viewer Logs on Windows:

Get-Eventlog -List

You can use the Get-WinEvent cmdlet to get the size of a specific event log file. For example, here’s how you can get the current and maximum size of the Security log file:

Get-WinEvent -ListLog Security| Select MaximumSizeInBytes, FileSize, IsLogFull, OldestRecordNumber, IsEnabled, LogMode

To increase the maximum size of the log, you can use the wevtutul command line tool (the new size is set in bytes):

wevtutil sl "Application" /ms:200000000

Or you can use PowerShell to set a new maximum Application log file size:

Limit-Eventlog -Logname Application -MaximumSize 200MB -OverflowAction OverwriteOlder

Adjusting the Event Log File Size from the Event Viewer Console

The easiest way to increase the maximum log size is directly from the Event Viewer console.

1. Open the Event Viewer MMC snap-in (eventvwr.msc);
2. Select the required log (for example, Security) and open its properties;
3. Set a new limit under Maximum log size (KB) and save the changes;
   

   Картинка с сайта: woshub.com

4. You can also select the action to be taken when the maximum log file size is reached: Overwrite events as needed (oldest events first). This mode is used by default and implies that new events simply overwrite older events.
   Archive the log when full, do not overwrite events – the current event log is archived in the \System32\Winevt\Logs\ folder when full, and new events are written to a new EVTX file. You can access the archived event files through the Open Saved Log menu in the Event Viewer.
   Do not overwrite events (Clear log manually) – enable this option to protect your old events from being overwritten. Note that the log must be cleared manually to write new events.

Increase the Size of Windows Event Log Files Using GPO

You can use Group Policies to centrally manage the size of event log files on computers or servers in an Active Directory domain.

1. Run the Group Policy Management snap-in (gpmc.msc), create a new GPO, and link it to the Organizational Units with the computers or servers you want to change the Event Viewer settings for (you may also link the GPO to the domain root);
2. Navigate to the following GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Event Log Service. This directory contains nodes for managing the basic Windows logs:

   Application
   Security
   Setup
   System

3.  To increase the maximum size of the log, select the Specify the maximum log file size (KB) option, enable it, and set the required size
   

   Картинка с сайта: woshub.com

   ;

4. Update the Group Policy settings on the clients and check that the new maximum log file is now specified in the log properties and that you cannot change it. If you try to set a different size, an error will appear:
   
   

   Картинка с сайта: woshub.com

   Event Viewer
   The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 61440 KB

The GPO section described above doesn’t contain options for other Event Logs from Applications and Services Logs -> Microsoft. If you need to increase the size of another event log (other than the standard one), you can do it through the registry. Windows event log settings are stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log_name> registry key. The maximum log file size is determined by the MaxSize parameter (REG_DWORD type). You can configure the registry value of the MaxSize parameter for a custom event log on domain computers by using Group Policy Preferences.

In this example, we are going to increase the size of the Directory Service log on the domain controllers. This log’s settings are stored in the following registry key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service.

Картинка с сайта: woshub.com

1. Open GPO and go to Computer Configuration -> Preferences -> Windows Settings -> Registry;
2. Select New -> Registry Item;
3. Create a new registry parameter with the following settings:

   Hive: HKEY_LOCAL_MACHINE
   Key path: SYSTEM\CurrentControlSet\Services\EventLog\Directory Service
   Value name: MaxSize
   Value type: REG_DWORD
   Value data: 52428800 (the maximum file size is given in bytes. In our example it is 50 MB.)

   

   Картинка с сайта: woshub.com

• Check that the maximum log size is after updating the GPO on the DCs.
  

  Картинка с сайта: woshub.com

For example, if you want to store logs with a history of Remote Desktop connections to an RDS host for a long period, you need to increase the size of the Terminal-Services-RemoteConnectionManager log.

By increasing the size of Windows event logs, you can get more information over a longer time. For example, you can use event logs to get the Windows reboot history, find out who deleted a file from a shared network folder, or changed NTFS permissions.

In Event Viewer, the errors logged are common, and you will come across different errors with different Event IDs. The events that are recorded in the security logs usually will be either of the keyword Audit Success or Audit Failure. In this post, we will discuss The security log is now full (Event ID 1104) including why this event is triggered and the actions you can perform in this situation whether on a client or server machine.

Картинка с сайта: www.thewindowsclub.com

As the event description indicates, this event generates every time the Windows security log becomes full. For example, if the maximum size of the Security Event Log file was reached and the event log retention method is Do not overwrite events (Clear logs manually) as described in this Microsoft documentation. The following are the options in the security event log settings:

• Overwrite events as needed (oldest events first) – This is the default setting. Once the maximum log size is reached, older items will be deleted to make way for new items.
• Archive the log when full, do not overwrite events – If you select this option, Windows will automatically save the log when the maximum log size is reached and create a new one. The log will be archived wherever the security log is being stored. By default, this will be at the following location %SystemRoot%\SYSTEM32\WINEVT\LOGS. You can view the properties of the log-in Event Viewer to determine the exact location.
• Do not overwrite events (Clear logs manually) – If you select this option and the event log reaches the maximum size, no further events will be written until the log is manually cleared.

To check or modify your security event log settings, the first thing you may want to change would be the Maximum log size (KB) – the maximum log file size is 20 MB (20480 KB). Beyond that, decide upon your retention policy as per outlined above.

When the upper limit of the Security Log Event file size is attained, and there is no room to log more events, the Event ID 1104: The security log is now full will be logged indicating that the log file is full, and you need to perform any of the following immediate actions.

1. Enable log overwriting in Event Viewer
2. Archive the Windows security event log
3. Manually clear the Security Log

Let’s see these recommended actions in detail.

1] Enable log overwriting in Event Viewer

Картинка с сайта: www.thewindowsclub.com

By default, the security log is configured to overwrite events as needed. When you turn on the overwriting logs option, this will allow the Event Viewer to overwrite the old logs, in turn saving the memory from getting full. So, you need to make sure that this option is enabled by following these steps:

• Press the Windows key + R to invoke the Run dialog.
• In the Run dialog box, type eventvwr and hit Enter to open Event Viewer.
• Expand Windows Logs.
• Click Security.
• On the right pane, under the Actions menu, select Properties. Alternatively, right-click on the Security log on the left navigation pane and select Properties.
• Now, under the When maximum event log size is reached section, select the radio button for the Overwrite events as needed (oldest events first) option.
• Click Apply > OK.

Read: How to view Event Logs in Windows in detail

2] Archive the Windows security event log

In a security-conscious environment (especially in an enterprise/organization), it may be necessary or mandated to archive the Windows security event log. This can be done via the Event Viewer as shown above by selecting the Archive the log when full, do not overwrite events option, or by creating and running a PowerShell script using the code below. The PowerShell script will check the size of the security event log and archive it if necessary. The steps performed by the script are as follows:

• If the security event log is under 250 MB, an informational event is written to the Application event log
• If the log is over 250 MB
  • The log is archived to D:\Logs\OS.
  • If the archive operation fails, an error event is written to the Application event log and an e-mail is sent.
  • If the archive operation succeeds, an informational event is written to the Application event log and an e-mail is sent.

Before using the script in your environment, configure the following variables:

• $ArchiveSize – Set to desired log size limit (MB)
• $ArchiveFolder – Set to an existing path where you want the log file archives to go
• $mailMsgServer – Set to a valid SMTP server
• $mailMsgFrom – Set to a valid FROM e-mail address
• $MailMsgTo – Set to a valid TO e-mail address

# Set the archive location
$ArchiveFolder = "D:\Logs\OS"

# How big can the security event log get in MB before we automatically archive?
$ArchiveSize = 250

# Verify the archive folder exists
If (!(Test-Path $ArchiveFolder)) {
  Write-Host
  Write-Host "Archive folder $ArchiveFolder does not exist, aborting ..." -ForegroundColor Red
  Exit
}

# Configure environment
$sysName        = $env:computername
$eventName      = "Security Event Log Monitoring"
$mailMsgServer  = "your.smtp.server.name"
$mailMsgSubject = "$sysName Security Event Log Monitoring"
$mailMsgFrom    = "[email protected]"
$mailMsgTo      = "[email protected]"

# Add event source to application log if necessary 
If (-NOT ([System.Diagnostics.EventLog]::SourceExists($eventName))) { 
  New-EventLog -LogName Application -Source $eventName
} 

# Check the security log
$Log = Get-WmiObject Win32_NTEventLogFile -Filter "logfilename = 'security'"
$SizeCurrentMB = [math]::Round($Log.FileSize / 1024 / 1024,2)
$SizeMaximumMB = [math]::Round($Log.MaxFileSize / 1024 / 1024,2)
Write-Host

# Archive the security log if over the limit
If ($SizeCurrentMB -gt $ArchiveSize) {
  $ArchiveFile = $ArchiveFolder + "\Security-" + (Get-Date -Format "yyyy-MM-dd@HHmm") + ".evt"
  $EventMessage = "The security event log size is currently " + $SizeCurrentMB + " MB.  The maximum allowable size is " + $SizeMaximumMB + " MB.  The security event log size has exceeded the threshold of $ArchiveSize MB."
  $Results = ($Log.BackupEventlog($ArchiveFile)).ReturnValue
  If ($Results -eq 0) {
    # Successful backup of security event log
    $Results = ($Log.ClearEventlog()).ReturnValue
    $EventMessage += "The security event log was successfully archived to $ArchiveFile and cleared."
    Write-Host $EventMessage
    Write-EventLog -LogName Application -Source $eventName -EventId 11 -EntryType Information -Message $eventMessage -Category 0
    $mailMsgBody = $EventMessage
    Send-MailMessage -From $mailMsgFrom -to $MailMsgTo -subject $mailMsgSubject -Body $mailMsgBody -SmtpServer $mailMsgServer
  }
  Else {
    $EventMessage += "The security event log could not be archived to $ArchiveFile and was not cleared.  Review and resolve security event log issues on $sysName ASAP!"
    Write-Host $EventMessage
    Write-EventLog -LogName Application -Source $eventName -EventId 11 -EntryType Error -Message $eventMessage -Category 0
    $mailMsgBody = $EventMessage
    Send-MailMessage -From $mailMsgFrom -to $MailMsgTo -subject $mailMsgSubject -Body $mailMsgBody -SmtpServer $mailMsgServer
  }
}
Else {
  # Write an informational event to the application event log
  $EventMessage = "The security event log size is currently " + $SizeCurrentMB + " MB.  The maximum allowable size is " + $SizeMaximumMB + " MB.  The security event log size is below the threshold of $ArchiveSize MB so no action was taken."
  Write-Host $EventMessage
  Write-EventLog -LogName Application -Source $eventName -EventId 11 -EntryType Information -Message $eventMessage -Category 0
}
# Close the log
$Log.Dispose()

Read: How to schedule PowerShell script in Task Scheduler

If you want, you can use an XML file to set the script to run every hour. For this, save the following code to an XML file and then import it into Task Scheduler. Make sure to change the <Arguments> section to the folder/file name where you saved the script.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2017-01-18T16:41:30.9576112</Date>
    <Description>Monitor security event log.  Archive and clear log if threshold is met.</Description>
  </RegistrationInfo>
  <Triggers>
    <CalendarTrigger>
      <Repetition>
        <Interval>PT2H</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>2017-01-18T00:00:00</StartBoundary>
      <ExecutionTimeLimit>PT30M</ExecutionTimeLimit>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
      <Arguments>c:\scripts\PS\MonitorSecurityLog.ps1</Arguments>
    </Exec>
  </Actions>
</Task>

Read: Task XML contains a value which is incorrectly connected or out of range

Once you have enabled or configured archiving the logs, the oldest logs will be saved and will not be overwritten with newer logs. So now onwards, Windows will archive the log when the maximum log size is reached and save it to the directory (if not the default) you have specified. The archived file will be named in Archive-<Section>-<Date/Time> format, for example, Archive-Security-2023-02-14-18-05-34. The archived file can be now used to trace down older events.

Read: Read Windows Defender Event Log using WinDefLogView

3] Manually clear the Security Log

Картинка с сайта: www.thewindowsclub.com

If you have set the retention policy to Do not overwrite events (Clear logs manually), you will need to manually clear the security log using any of the following methods.

• Event Viewer
• WEVTUTIL.exe utility
• Batch file

That’s it!

Now read: Missing Events in the Event Log

What Event ID is malware detected?

The Windows security event log ID 4688 indicates malware has been detected on the system. For example, if there’s malware present on your Windows system, searching event 4688 will reveal any processes executed by that ill-intentioned program. With that information, you can perform a quick scan, schedule a Windows Defender scan, or run a Defender Offline scan.

What is the security ID for the logon event?

In Event Viewer, the Event ID 4624 will be logged on every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created. The event Logon type 11: CachedInteractive indicates a user logged on to a computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

Read: Windows Event Log Service not starting or is unavailable.