We have some issues with DNS and DHCP interacting, so we're archiving the DHCP event logs using PowerShell and dumping the contents to an SQL database for later analysis. However, the archive script is only grabbing files named 'DhcpSrvLog-$day.log' (where $day is Mon, Tue, etc.). However, the log files are limited to 10MB in size. After that point, they overflow, but we can't find any documentation on what the next log file is called. It doesn't overflow often, but on the days that it does the first file often rolls over or overflows at 3pm.
I'd like to be able to archive the complete log files on the days the system is logging so much, and I'm assuming Windows doesn't just stop writing the logs. Is there any way to either increase the log size (I believe this is fixed) or can someone tell me the convention for the second log of a given day?
OS is Windows Server 2008 R2 x64.
[For reference, the issues we're looking for themselves are likely related to the system being upgraded continually since the mid 90's. It was originally a Novell domain, then NT 3.51 –> NT 4 –> 2k –> 2k3 –> 2k8 –> 2k8 R2… plus several custom schema extensions which don't work well at all and a history of administrators who had no idea what they were doing. The domain has more issues than Time magazine, so this problem doesn't surprise anyone. We're in the process of moving to a brand new domain, but we're trying to troubleshoot this DHCP/DNS issue to make sure the same problem doesn't happen on the new domain, too.]
Best Answer
Ah, ha, I've been able to answer my own question.
Event ID 1030 — DHCP Audit Logging
More About DHCP Audit and Event Logging
DhcpLogFilesMaxSize
DhcpLogFilesMaxSizeunderHKLM\SYSTEM\CurrentControlSet\Services\DhcpServer\Parametersspecifies the maximum size, in MB, of the log files each week. If you go over this amount, the extra data is lost, which is pretty awful design if you ask me.So this value divided by 7 is the daily log maximum size, it appears, as no log file ever goes over 10MB but some end up below.