I needed to figure out how much space was required to maintain 7 days of event log entries for the Security event log on my SQL Servers. Basically, this is a simple calculation where you check the size of the current event log, find the earliest event, and calculate how many hours of coverage you have. You then extrapolate that to 7 full days (168 hours). It's a simple script and I'm sure it could be more efficient, but it works.
- $computer = "MyComputer"
- $cumulativeSize = 0
- $numDays = 0
- $secSize = 0
- $earliestDate = get-date 12/31/2020
- $colLogs = get-wmiobject -class "Win32_NTEventlogFile" -namespace "root\CIMV2" -computername $computer
- foreach ($objLog in $colLogs) {
- if ($objLog.LogFileName -eq "Security")
- {
- $secSize = $objLog.MaxFileSize / (1024 * 1024)
- $colEvents = get-eventlog -log security -computername $computer
- $objEvent = $colEvents | select-object -Last 1
- #foreach ($objEvent in $colEvents)
- #{
- #if ($objEvent.TimeWritten -lt $earliestDate)
- #{
- $earliestDate = $objEvent.TimeWritten
- #}
- #}
- }
- else
- {
- $cumulativeSize += $objLog.MaxFileSize
- }
- }
- $currentDate = get-date
- $hourDifference = ($currentDate - (get-date $earliestDate)).TotalHours
- $logSize = 168 * $secSize / $hourDifference
- if ($logSize -lt $secSize)
- {
- $logSize = $secSize
- }
- write-host "Computer: ", $computer
- write-host "Old Security Event Log size: ", $secSize
- write-host "Earliest Security Event:", $earliestDate
- write-host "New Security Event Log size: ", $logSize
- write-host "Total size of other Logs: ", ($cumulativeSize / (1024 * 1024))
