Expanding IME Log Retention
This is a bit of a followup on my last post about collecting log files using Intune.
The log files generated by the Intune Management Extension are extremely useful when troubleshooting a variety of issues, although I focus primarily on Win32 app related problems.
Recently, I have noticed that the IntuneManagementExtension.log is filled with more and more information about the GRSManager, Win32AppInventory and ReevaluationScheduleManager as well as log lines related specifically to Win32 app installations which generate a vast amount of log lines.
While these log lines can be useful, the sheer volume of them can cause the IntuneManagementExtension.log and AgentExecutor.log to fill up and roll over very quickly.
This can be pretty annoying for troubleshooting, as by default the IME is only configured to retain 3 logs (Current + 2 roll overs. Rollover occurs at 3MB by default). So when you get around to collecting logs, any information related to the issue you’re experiencing is potentially long gone.
Well, thankfully we can fix this relatively easily.
There are 2 registry keys that we can create that control the size at which the logs rollover, and how many rolled over logs we keep.
The registry keys that control this are not set by default, so it isn’t immediately obvious what needs changed.
We want to create LogMaxHistory and LogMaxSize under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneWindowsAgent\Logging and configure them accordingly.
In this example, I want to keep 6 logs and rollover at 5MB.
And, like everything you can do this programatically with PowerShell and Proactive Remediation!
Here’s a handy video from Intune.Training showing how to configure Proactive Remediation to deploy the Detection and Remediation scripts.
Not much to summarize other than it can be useful to keep more than the default number of retained logs!