Introduction

Windows Event Log full errors occur when the Windows Event Log service reaches configured storage limits, causing the service to stop accepting new events and potentially halting system operations that depend on logging. When event logs fill completely without proper retention policies, critical system events, security audits, and application errors go unrecorded, creating compliance gaps and hindering incident response. Common causes include event log size limit too small for log volume, retention policy set to "Do not overwrite" instead of circular logging, Event Log service corruption or crash, disk space exhaustion on system drive, Security log filling from audit policy flooding, application spamming event log with verbose errors, Group Policy enforcing restrictive log sizes, event forwarding aggregator overwhelming central log, and corrupted event log files (EVTX) preventing service operation. The fix requires understanding Windows Event Log architecture, service dependencies, retention policies, Group Policy configuration, and recovery procedures. This guide provides production-proven troubleshooting for Windows Event Log issues across Windows Server 2016, 2019, 2022, and Windows 10/11 client systems in both standalone and domain environments.

Symptoms

  • "The event log file is corrupted" error in Event Viewer
  • Event Log service stopped or fails to start
  • "Event Log service is unavailable" in applications
  • Security events not being recorded (audit failure)
  • System log shows EventLog errors (ID 1101, 1102)
  • Application log fills within hours
  • Disk space consumed by evtx files in System32
  • Event Viewer shows "Log full" or "No more data"
  • Event forwarding subscriptions failing
  • Group Policy event audit not recording events

Common Causes

  • Log retention policy: "Do not overwrite events"
  • Maximum log size too small (default 1MB-20MB)
  • Event Log service crashed or hung
  • Corrupted EVTX file from unclean shutdown
  • Disk full on system drive preventing log writes
  • Audit policy generating excessive security events
  • Application logging verbose errors in loop
  • Event Collector service overwhelming logs
  • Group Policy restricting log configuration
  • NTFS permissions preventing log file access

Step-by-Step Fix

### 1. Diagnose Event Log service state

Check Event Log service status:

```powershell # Check service status Get-Service EventLog Get-Service EventSystem

# Expected: Running # If stopped: Start-Service EventLog

# Check service dependencies Get-Service EventLog | Select-Object -ExpandProperty Dependencies

# Dependencies include: # - Windows Event Collector # - RPC Endpoint Mapper # - NT Event Log Messages

# Check service configuration Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog" | Select-Object Type, Start, ErrorControl

# Start should be 2 (Automatic) ```

Check event log configuration:

```powershell # List all event logs with configuration Get-WinEvent -ListLog * | Select-Object LogName, RecordCount, MaximumSizeInBytes, IsClassicLog, IsEnabled, LogMode | Sort-Object RecordCount -Descending

# Key logs: # - Application: Application events # - System: Windows system events # - Security: Audit and security events # - Setup: Setup and installation events

# Check specific log Get-WinEvent -ListLog "Application" | Select-Object LogName, RecordCount, MaximumSizeInBytes, LogMode

# LogMode values: # - Circular: Overwrite oldest when full (recommended) # - AutoBackup: Archive when full # - Retain: Do not overwrite (problematic) ```

Check Event Log errors:

```powershell # Check EventLog service errors Get-WinEvent -LogName "System" | Where-Object { $_.ProviderName -eq "Service Control Manager" -and $_.Message -like "*EventLog*" } | Select-Object -First 10

# Check for log corruption events Get-WinEvent -LogName "System" | Where-Object { $_.Id -eq 1101 -or $_.Id -eq 1102 } | Select-Object -First 10

# Event ID 1101: Audit log cleared # Event ID 1102: Security log cleared (investigate!)

# Check Application log for EventLog errors Get-WinEvent -LogName "Application" | Where-Object { $_.ProviderName -eq "EventLog" } | Select-Object -First 20 ```

### 2. Clear full event logs

Clear individual logs:

```powershell # Clear Application log Clear-EventLog -LogName "Application"

# Clear System log Clear-EventLog -LogName "System"

# Clear Security log (requires audit privilege) Clear-EventLog -LogName "Security"

# Clear all classic logs Get-EventLog -List | ForEach-Object { Write-Host "Clearing $($_.Log)..." Clear-EventLog -LogName $_.Log }

# Or use Get-WinEvent for modern logs Get-WinEvent -ListLog * | Where-Object { $_.RecordCount -gt 0 } | ForEach-Object { Write-Host "Clearing $($_.LogName)..." Clear-EventLog -LogName $_.LogName -ErrorAction SilentlyContinue } ```

Clear with backup:

```powershell # Export log before clearing $backupPath = "C:\EventLogBackups\$(Get-Date -Format 'yyyyMMdd-HHmmss')" New-Item -ItemType Directory -Path $backupPath -Force

$logs = @("Application", "System", "Security") foreach ($log in $logs) { $backupFile = "$backupPath\$log.evtx" Write-Host "Backing up $log to $backupFile..." wevtutil epl $log $backupFile Clear-EventLog -LogName $log }

# Restore from backup later # wevtutil im $backupFile ```

Script to archive and clear:

```powershell # Automated log rotation script $archivePath = "C:\EventLogArchives" $daysToKeep = 90 $dateStamp = Get-Date -Format "yyyyMMdd-HHmmss"

# Create archive directory New-Item -ItemType Directory -Path $archivePath -Force | Out-Null

# Export and clear logs $logs = Get-WinEvent -ListLog * | Where-Object { $_.RecordCount -gt 10000 }

foreach ($log in $logs) { $logName = $log.LogName $archiveFile = "$archivePath\$($logName)_$dateStamp.evtx"

try { wevtutil epl $logName $archiveFile Write-Host "Archived $logName ($($log.RecordCount) records)" Clear-EventLog -LogName $logName -ErrorAction SilentlyContinue } catch { Write-Warning "Failed to archive $logName : $_" } }

# Clean old archives Get-ChildItem -Path $archivePath -Filter "*.evtx" | Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-$daysToKeep) } | Remove-Item -Force ```

### 3. Configure log size limits

Increase log size via PowerShell:

```powershell # Set log size limits (in bytes) # Default is often 1MB-20MB, increase to 1GB+ for busy servers

# Application log - 512MB $log = Get-WinEvent -ListLog "Application" $log.MaximumSizeInBytes = 512MB $log.SaveChanges()

# System log - 512MB $log = Get-WinEvent -ListLog "System" $log.MaximumSizeInBytes = 512MB $log.SaveChanges()

# Security log - 1GB (for audit-heavy systems) $log = Get-WinEvent -ListLog "Security" $log.MaximumSizeInBytes = 1GB $log.SaveChanges()

# Verify changes Get-WinEvent -ListLog "Application" | Select-Object LogName, MaximumSizeInBytes, RecordCount, LogMode ```

Configure retention policy:

```powershell # Set circular logging (overwrite oldest when full) $log = Get-WinEvent -ListLog "Application" $log.IsClassicLog = $false # Must be modern log $log.LogMode = "Circular" $log.SaveChanges()

# Or use wevtutil wevtutil sl Application /r:true # Enable retention wevtutil sl Application /ms:536870912 # Max size 512MB

# Verify wevtutil gl Application ```

Configure all logs at once:

```powershell # Configure all logs with sensible defaults $logs = Get-WinEvent -ListLog * | Where-Object { $_.IsEnabled -eq $true }

foreach ($log in $logs) { try { # Set 512MB max size $log.MaximumSizeInBytes = 512MB # Set circular mode $log.LogMode = "Circular" $log.SaveChanges() Write-Host "Configured $($log.LogName)" } catch { Write-Warning "Failed to configure $($log.LogName)" } } ```

### 4. Fix Event Log service

Restart Event Log service:

```powershell # Stop service Stop-Service EventLog -Force

# Wait for stop Start-Sleep -Seconds 5

# Check dependencies $dependentServices = Get-Service | Where-Object { $_.DependentServices -contains "EventLog" } Write-Host "Dependent services: $($dependentServices.Name -join ', ')"

# Start service Start-Service EventLog

# Verify running Get-Service EventLog | Select-Object Name, Status, StartType ```

Reset Event Log configuration:

```powershell # Export current configuration wevtutil export-keys HKLM\SYSTEM\CurrentControlSet\Services\EventLog > "$env:TEMP\eventlog-registry.txt"

# Stop service Stop-Service EventLog -Force

# Rename log folder (backup) $timestamp = Get-Date -Format "yyyyMMdd-HHmmss" Rename-Item -Path "C:\Windows\System32\winevt\Logs" ` -NewName "Logs.$timestamp" -Force

# Create fresh folder New-Item -ItemType Directory -Path "C:\Windows\System32\winevt\Logs" -Force

# Set permissions (inherit from parent) $acl = Get-Acl "C:\Windows\System32\winevt" Set-Acl -Path "C:\Windows\System32\winevt\Logs" -AclObject $acl

# Start service (recreates log files) Start-Service EventLog

# Verify Get-ChildItem "C:\Windows\System32\winevt\Logs" ```

Re-register Event Log service:

```powershell # Stop service Stop-Service EventLog -Force

# Re-register service DLLs regsvr32.exe /s wevtapi.dll regsvr32.exe /s Microsoft.Windows.EventCollector.dll regsvr32.exe /s Microsoft.Windows.EventLog.dll

# Rebuild service sc.exe delete EventLog sc.exe config EventLog binPath= "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p" sc.exe config EventLog type= share sc.exe config EventLog start= auto

# Start service Start-Service EventLog ```

### 5. Fix corrupted event log files

Identify corrupted logs:

```powershell # Check for corrupted log files $logPath = "C:\Windows\System32\winevt\Logs" $corruptedLogs = @()

Get-ChildItem -Path $logPath -Filter "*.evtx" | ForEach-Object { try { $log = Get-WinEvent -LogName $_.BaseName -Oldest -MaxRecords 1 -ErrorAction Stop Write-Host "$($_.BaseName): OK ($($log.TimeCreated))" } catch { Write-Warning "$($_.BaseName): CORRUPTED - $_" $corruptedLogs += $_.Name } }

Write-Host "Corrupted logs: $($corruptedLogs -join ', ')" ```

Remove corrupted logs:

```powershell # Stop Event Log service Stop-Service EventLog -Force

# Delete corrupted log files foreach ($log in $corruptedLogs) { $logFile = "$logPath\$log" Write-Host "Deleting $logFile..." Remove-Item -Path $logFile -Force }

# Start service Start-Service EventLog

# Service recreates empty log files ```

Use CheckDisk for filesystem corruption:

```powershell # Check for disk corruption affecting log files chkdsk C: /f /r

# Or via PowerShell Repair-Volume -DriveLetter C -Scan

# If corruption found Repair-Volume -DriveLetter C -OfflineScanAndFix

# Requires reboot Restart-Computer -Force ```

### 6. Configure Group Policy for event logs

Check Group Policy settings:

```powershell # Check Event Log GPO settings Get-GPResultantSetOfPolicy -ReportType Xml -Path "$env:TEMP\RSOP.xml" Select-Xml -Path "$env:TEMP\RSOP.xml" -XPath "//Extension[@Name='Event Log']"

# Or check registry Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\*" | Format-List

# Check specific policies Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" | Select-Object MaxSize, Retention, File Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" | Select-Object MaxSize, Retention, File Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" | Select-Object MaxSize, Retention, File ```

Configure Event Log GPO:

```powershell # On domain controller, create/edit GPO # gpmc.msc > Create GPO # Computer Configuration > Policies > Administrative Templates > # Windows Components > Event Log Service

# Or via PowerShell New-GPO -Name "Event Log Configuration" Set-GPRegistryValue -Name "Event Log Configuration" -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" -ValueName "MaxSize" -Type DWORD -Value 524288 # 512MB in KB

Set-GPRegistryValue -Name "Event Log Configuration" -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" -ValueName "Retention" -Type DWORD -Value 0 # 0 = Overwrite as needed

# Link GPO New-GPLink -Name "Event Log Configuration" -Target "OU=Servers,DC=domain,DC=com" ```

Security log audit policy:

```powershell # Check audit policy auditpol /get /category:*

# Reduce verbose auditing if Security log fills quickly # gpedit.msc > Computer Configuration > # Windows Settings > Security Settings > # Advanced Audit Policy Configuration

# Or via command line auditpol /set /category:"Logon/Logoff" /failure:disable auditpol /set /category:"Object Access" /failure:disable ```

### 7. Fix disk space issues

Check disk space:

```powershell # Check disk space Get-PSDrive -PSProvider FileSystem | Select-Object Name, Used, Free, @{N='UsedGB';E={[math]::Round($_.Used/1GB,2)}}, @{N='FreeGB';E={[math]::Round($_.Free/1GB,2)}}

# Check event log folder size $logPath = "C:\Windows\System32\winevt\Logs" $size = (Get-ChildItem -Path $logPath -File | Measure-Object -Property Length -Sum).Sum Write-Host "Event Log folder size: $([math]::Round($size/1MB, 2)) MB"

# Check for large log files Get-ChildItem -Path $logPath -File | Sort-Object Length -Descending | Select-Object -First 5 Name, @{N='SizeMB';E={[math]::Round($_.Length/1MB,2)}} ```

Clean up disk space:

```powershell # Run Disk Cleanup cleanmgr /d C: /VERYLOWDISK

# Or via PowerShell Start-Process cleanmgr.exe -ArgumentList "/d C:", "/VERYLOWDISK"

# Clear Windows Update cache Stop-Service wuauserv -Force Remove-Item -Path "C:\Windows\SoftwareDistribution\Download\*" -Recurse -Force Start-Service wuauserv -Force

# Clear temporary files Remove-Item -Path "$env:TEMP\*" -Recurse -Force -ErrorAction SilentlyContinue Remove-Item -Path "C:\Windows\Temp\*" -Recurse -Force -ErrorAction SilentlyContinue

# Compress old event logs $logPath = "C:\Windows\System32\winevt\Logs" Get-ChildItem -Path $logPath -Filter "*.evtx" | Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-30) } | ForEach-Object { Compress-Archive -Path $_.FullName -DestinationPath "$($_.FullName).zip" -Force Remove-Item $_.FullName -Force } ```

### 8. Configure event log subscription management

Configure event forwarding:

```powershell # Check event collector service Get-Service wecsvc

# Configure event subscription # On collector server: wecutil cs # Check subscription status

# Create subscription $subscription = @" <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription"> <SubscriptionId>SecurityEvents</SubscriptionId> <SubscriptionType>SourceInitiated</SubscriptionType> <Description>Forward security events</Description> <Enabled>true</Enabled> <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri> <ConfigurationMode>Custom</ConfigurationMode> <DeliveryMode>Push</DeliveryMode> <DeliveryMaxItems>5</DeliveryMaxItems> <DeliveryMaxLatencyTime>900000</DeliveryMaxLatencyTime> <ContentFormat>RenderedText</ContentFormat> <Locale Language="en-US"/> <Log>ForwardedEvents</Log> <Query><![CDATA[ <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Level=1 or Level=2 or Level=3)]]</Select> </Query> </QueryList> ]]></Query> </Subscription> "@

wecutil cs /config:$subscription

# Verify wecutil gs SecurityEvents ```

Configure source-initiated forwarding:

```powershell # On source server (Group Policy) # Computer Configuration > Administrative Templates > # Windows Components > Event Forwarding > # Configure target Subscription Manager

# Set Subscription Manager address # Server=collector.domain.com:5985;Refresh=60

# Via registry Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager" ` -Name "1" -Value "Server=collector.domain.com:5985;Refresh=60"

# Restart Event Log service Restart-Service EventLog ```

### 9. Debug with event log diagnostics

Enable verbose Event Log logging:

```powershell # Enable Event Log debug traces wevtutil sl Microsoft-Windows-EventLog/Operational /e:true

# View operational log Get-WinEvent -LogName "Microsoft-Windows-EventLog/Operational" -MaxEvents 20

# Enable analytic log (high volume) wevtutil sl Microsoft-Windows-EventLog/Analytic /e:true wevtutil sl Microsoft-Windows-EventLog/Analytic /q:true

# View with debug Get-WinEvent -LogName "Microsoft-Windows-EventLog/Analytic" -Oldest -MaxRecords 50 ```

Use Process Monitor for Event Log debugging:

```powershell # Download Process Monitor # https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

# Filter for EventLog activity # Filter > Process Name > contains > svchost (EventLog service) # Filter > Path > contains > winevt

# Look for: # - ACCESS DENIED on log files # - NAME NOT FOUND for missing files # - BUFFER OVERFLOW on writes ```

### 10. Monitor event log health

Create monitoring script:

```powershell # Event Log health monitor $thresholds = @{ PercentFull = 90 MinFreeSpaceGB = 10 MaxAgeHours = 24 }

$logs = Get-WinEvent -ListLog * | Where-Object { $_.IsEnabled }

foreach ($log in $logs) { $percentFull = ($log.RecordCount / ($log.MaximumSizeInBytes / 1KB)) * 100

if ($percentFull -gt $thresholds.PercentFull) { Write-Warning "$($log.LogName) is ${percentFull}% full!"

# Send alert (example) # Send-MailMessage -To "admin@domain.com" -Subject "Event Log Alert" ` # -Body "$($log.LogName) is ${percentFull}% full" } }

# Check Event Log service if ((Get-Service EventLog).Status -ne "Running") { Write-Error "Event Log service is not running!" Start-Service EventLog } ```

Schedule health check:

powershell # Create scheduled task for monitoring $action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\EventLogHealth.ps1"

$trigger = New-ScheduledTaskTrigger -Daily -At 8am, 12pm, 6pm

Register-ScheduledTask -TaskName "EventLogHealthCheck" -Action $action -Trigger $trigger -Description "Monitor event log health and alert on issues"

Prevention

  • Configure circular logging for all logs (LogMode = Circular)
  • Set log sizes based on expected daily volume (minimum 512MB)
  • Implement log forwarding to central SIEM for long-term retention
  • Monitor log utilization with alerts at 80% threshold
  • Archive and clear logs on scheduled basis
  • Test event log configuration after Windows updates
  • Document audit policy requirements for compliance
  • Ensure adequate disk space on system drive (minimum 10GB free)
  • **Event ID 1101**: Audit log cleared (investigate if unauthorized)
  • **Event ID 1102**: Security log cleared (security event)
  • **Event ID 6008**: Unexpected shutdown (possible log corruption)
  • **Event Log service not found**: Service registration corrupted
  • **0x80070005**: Access denied on log file (permission issue)