OpenIntuneBaseline icon indicating copy to clipboard operation
OpenIntuneBaseline copied to clipboard
verified publisher icon SkipToTheEndpoint

[Bug] - Disk space issues caused by event log settings

Open bennyocb1291 opened this issue 4 months ago • 3 comments

Baseline Info (please complete the following information):

  • OS: [e.g. Windows] Windows
  • Version: [e.g. 3.6] 3.6

Describe the bug A clear and concise description of what the bug or error is.

I've been receiving more and more complaints about disk space issues being caused by our event logs not properly overwriting, per the 'Win - OIB - SC - Device Security - D - Audit and Event Logging - v3.1' policy settings.

According to the MS docs for the CSPs here https://learn.microsoft.com/en-gb/windows/client-management/mdm/policy-csp-admx-eventlog?WT.mc_id=Portal-fx#channel_log_retention_2

Old events may or may not be retained according to the "Backup log automatically when full" policy setting.

The baseline is only setting 'Control Event Log behavior when the log file reaches its maximum size' to disabled & 'Specify the maximum log file size (KB)', so my thinking was that 'Back up log automatically when full' also needs to be hard set to disabled. After updating a test policy to reflect this change, the scoped devices started behaving as expected.

Happy to accept if it's just me, though I couldn't find any other settings in the OIB, or auxiliary policies I have in my tenant that could be causing the settings on some devices to not behave as expected so resorted to reading the CSP doc. In addition, the affected devices span multiple device models with different drives and capacities, etc. which blew out my initial theory of perhaps just the heavier users on devices with smaller drives noticing the issue.

Expected behaviour A clear and concise description of what you expected to happen.

Windows event logs overwriting when the configured maximum size of each log type is reached.

bennyocb1291 avatar Sep 30 '25 15:09 bennyocb1291

That's weird - we're using the same policy for ourselves, and some clients and not having this issue. Is this within the C:\Windows\system32\winevt\logs directory?

jamiehallghs avatar Oct 01 '25 13:10 jamiehallghs

That's weird - we're using the same policy for ourselves, and some clients and not having this issue. Is this within the C:\Windows\system32\winevt\logs directory?

It started with just 1 user noticing their disk filling up, who then got his team to check the settings and all ~5 of them were also affected, but hadn't noticed yet. I didn't want to chance it becoming more widespread than that, so after I found this extra CSP resolving things, I quickly pushed it out to the rest of my estate, but it would've been handy to have ran a remediation to get an idea of exactly how many devices had log files not being overwritten...

As I say, may not be this CSP, or anything within the OIB policies since I've had it fully in my environment since v3.0, but worth flagging my findings.

bennyocb1291 avatar Oct 01 '25 16:10 bennyocb1291

Hi. I can't say in all the time I've been maintaining and deploying this in environments I've ever seen any issues like that. The policies are configured in that way to ensure that new events aren't lost. I could see a situation if you did enable the "Backup log automatically when full" setting that you could get log bloat.

Are you sure it's those event logs and not related to the current IT1168328 issue?

SkipToTheEndpoint avatar Oct 10 '25 13:10 SkipToTheEndpoint