The Event Viewer logs (System, Application, and Security) have registry entries at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\logfile
There is a sub-key for each of the 3 logs. Each of these have the following value entries that can be configured:
File is a type REG_EXPAND_SZ that contains the path of the log.
MaxSize is a type REG_DWORD that contains the maximum size of the log file in kilobytes. The default is 512K.
Retention is a type REG_DWORD that specifies records which are newer than this value (in seconds) will not be overwritten. If the value is 0, the log may be overwritten. If the value is hex 0xffffffff, the log must be cleared manually. The default is 604800 (7 days). If the log fills up or a retained record needs to be overwritten, you receive an Event Log Full error.
Sources is a REG_MULTI_SZ value that contains registered posting programs. Each of these entries have a sub-key which has values that control message translation and other information pertinent to the posting program. Sources and the sub-keys should not be altered manually, only with the API provided for that purpose.
