wevtutil gl Command: View Event Log Settings

The wevtutil gl command displays Windows Event Log configuration details such as log mode, retention, maximum size, enabled status, and file path. It is the fastest way to inspect how a log is configured before you troubleshoot missing events, adjust retention policies, or validate audit settings.

Whether you are a system administrator verifying Security log retention, an IT professional diagnosing log rollover behavior, or a security analyst ensuring audit settings align with policy, wevtutil gl provides authoritative log metadata directly from the Windows Eventing subsystem.

This guide covers syntax, output fields, practical examples, troubleshooting, related commands, FAQs, and a quick reference card. By the end, you will confidently use wevtutil gl to audit event log configuration and support reliable logging in production environments.

What Is the wevtutil gl Command?

wevtutil gl stands for get-log. It retrieves the configuration for a specific Windows Event Log, such as Application, System, or Security. The output includes whether the log is enabled, maximum size, retention or overwrite behavior, log file location, and other settings that affect how events are stored and preserved.

This command is read-only and safe to run on production systems. It is available in modern Windows versions (Windows 7 through Windows 11 and Windows Server editions) and works in both Command Prompt and PowerShell.

Syntax

wevtutil gl <LogName>

Parameters and Options

Parameter	Description	Example
`<LogName>`	The name of the log to inspect	`Application`, `System`, `Security`

Log names are case-insensitive but must match Windows Event Log names. Use wevtutil el to list available logs.

Key Output Fields and Meaning

When you run wevtutil gl, you will see a list of fields. These are the most important ones for operations and auditing:

enabled

Indicates whether the log is actively collecting events. If enabled: false, the log will not record new entries.

retention and autoBackup

These fields determine whether logs are overwritten or archived when full. Retention policies are critical for compliance and incident response.

maxSize

Shows the maximum log file size in bytes. When the log reaches this limit, Windows may overwrite older entries or stop logging depending on retention settings.

logFileName

The location of the log file (typically under C:\Windows\System32\winevt\Logs). This is useful for disk capacity planning and forensic collection.

logMode

Indicates how Windows handles log growth. Common values include Circular (overwrite oldest) or AutoBackup (archive then continue).

Examples (HowTo)

1. Inspect the Application log configuration

Scenario: You want to verify Application log settings before troubleshooting missing app errors.

wevtutil gl Application

Expected output (excerpt):

enabled: true
retention: false
autoBackup: false
maxSize: 20480000
logFileName: %SystemRoot%\System32\winevt\Logs\Application.evtx
logMode: Circular

Explanation: Application events overwrite when the log is full because retention is disabled and logMode is Circular.

2. Inspect the System log configuration

Scenario: You need to confirm whether System log is large enough for troubleshooting driver issues.

wevtutil gl System

Explanation: Review maxSize and logMode to determine how long events are retained before being overwritten.

3. Inspect the Security log configuration

Scenario: Security logs must retain audit events for compliance.

wevtutil gl Security

Explanation: Check retention and autoBackup for audit policies. Security logs often require stricter retention.

4. List all logs, then inspect one

Scenario: You need to find the exact log name first.

wevtutil el
wevtutil gl Microsoft-Windows-WindowsUpdateClient/Operational

Explanation: wevtutil el lists all log names, including application-specific and operational logs.

5. Export configuration for documentation

Scenario: You want a record of log settings for an audit or change request.

wevtutil gl Security > C:\Logs\security-log-settings.txt

Explanation: Save the configuration to a text file for documentation or compliance evidence.

6. Compare log settings across systems

Scenario: Ensure standard log configurations across servers.

wevtutil gl System > C:\Logs\system-log-settings.txt

Explanation: Use this output to compare against baseline settings in a configuration management process.

Common Use Cases

Audit log retention policies – Validate that Security logs keep events long enough for compliance requirements.
Troubleshoot missing events – Check if logs are disabled or overwriting too quickly.
Capacity planning – Use maxSize to ensure enough disk space for forensic needs.
Baseline configuration – Capture settings for gold images or standardized server builds.
Incident response – Verify log settings before collecting evidence to understand data availability.
Change management – Document current settings before modifying log size or retention.
SOC validation – Ensure operational logs are enabled for endpoint monitoring.
Compliance verification – Prove that event logs are configured to meet policy.
Troubleshoot log rollover – Investigate if events are lost due to circular logging.
Post-upgrade checks – Confirm log settings remain consistent after OS upgrades.

Tips and Best Practices

Always list logs first if unsure – Use wevtutil el to avoid incorrect log names.
Capture output before changes – Save a snapshot with wevtutil gl <LogName> > file.txt for audit trails.
Monitor maxSize in bytes – Convert to MB/GB for clarity when planning retention durations.
Use Security log checks in compliance audits – This log is often mandated for regulatory requirements.
Document logMode choices – Circular logging is common, but may not meet retention requirements.
Check enabled status – Logs can be disabled by policy, which silently drops events.
Use consistent baselines – Keep log settings consistent across environments for easier investigations.
Include logFileName in forensic playbooks – It speeds up evidence collection.
Run as admin if needed – Some logs require elevated access for inspection.
Pair with log export workflows – Combine with wevtutil epl to export logs for analysis.

Troubleshooting Common Issues

"The system cannot find the log"

Problem: wevtutil gl returns an error that the log does not exist.

Cause: The log name is incorrect or uses a different provider path.

Solution: List logs with wevtutil el and copy the exact log name.

Prevention: Use official log names from Event Viewer or wevtutil el output.

Access denied

Problem: The command fails for Security or certain operational logs.

Cause: Insufficient privileges.

Solution: Run Command Prompt as Administrator.

Prevention: Use elevated sessions when inspecting protected logs.

Output looks incomplete

Problem: Some fields are missing.

Cause: The log type does not support every property, or it is disabled.

Solution: Verify the log is enabled and check again. Use wevtutil gl on standard logs to compare.

Prevention: Expect variability across different provider logs.

Log is overwriting too quickly

Problem: Events disappear before they can be reviewed.

Cause: Small maxSize and circular logging.

Solution: Increase max size and consider retention policy changes.

Prevention: Monitor log sizes and adjust based on actual event volume.

Related Commands

wevtutil el

Lists all event logs so you can find the correct log name.

wevtutil epl

Exports logs to an EVTX file for forensic analysis or archival.

wevtutil sl

Sets log configuration (size, retention), which is typically paired with wevtutil gl for validation.

eventvwr

Opens Event Viewer for visual inspection. wevtutil gl is faster and scriptable.

wevtutil qe

Queries events within a log, useful after confirming configuration.

Frequently Asked Questions

What does wevtutil gl do?

It retrieves configuration information for a specified Windows Event Log, including enabled status, size limits, retention, and file location.

Is wevtutil gl safe to run on production systems?

Yes. It is read-only and does not change any settings.

How do I list all available logs?

Run wevtutil el to list all logs, then use wevtutil gl <LogName> on the specific log you want.

Why does Security log require admin rights?

Security logs are protected by Windows, so you need elevated privileges to access their configuration or contents.

What does logMode mean?

Log mode indicates how Windows handles full logs, such as circular overwrite or auto-backup retention.

Where are event log files stored?

Most logs are stored under C:\Windows\System32\winevt\Logs and end with .evtx.

Can I change log settings with wevtutil?

Yes, use wevtutil sl to set log size and retention, then verify with wevtutil gl.

How can I export the log configuration for audits?

Redirect the output: wevtutil gl Security > C:\Logs\security-log-settings.txt.

Quick Reference Card

Command	Purpose	Example
`wevtutil el`	List logs	`wevtutil el`
`wevtutil gl Application`	View Application log settings	`wevtutil gl Application`
`wevtutil gl System`	View System log settings	`wevtutil gl System`
`wevtutil gl Security`	View Security log settings	`wevtutil gl Security`
`wevtutil gl Microsoft-Windows-WindowsUpdateClient/Operational`	View operational log settings	`wevtutil gl Microsoft-Windows-WindowsUpdateClient/Operational`

CTA: Practice and Explore

Practice Windows command-line tools in the Windows Command Simulator and explore more guides in the Commands Reference. For deeper event log tooling, see wevtutil and related troubleshooting posts.

Summary

The wevtutil gl command is the fastest way to view Windows Event Log configuration, including enabled status, retention policy, maximum size, and file location. Use it for auditing, compliance checks, and troubleshooting missing events or log rollover issues.

Pair it with wevtutil el to discover log names and wevtutil epl to export logs for analysis. By capturing log settings before changes, you create reliable audit trails and ensure logging remains consistent across systems. Mastering wevtutil gl helps you maintain trustworthy logging in production and respond faster during incidents.