To change location of the Windows NT or Windows 2000 Security event log you can use the Event Viewer to indirectly modify the registry or to apply the registry hack directly:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name: File
Type: REG_EXAND_SZ
Value: %SystemRoot%\system32\config\SecEvent.Evt default

Appication and System registries follow same pattern. Use this to change where the logs are stored. These keys give you the flexibility to put it wherever you want.

To change the maximum size of the Windows NT or Windows 2000 Security event log file (in kilobytes) you can use the Event Viewer to indirectly modify the registry or to apply the registry hack directly:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name: MaxSize
Type: REG_DWORD
Value: 512 default=512K

To change the Retention period of security events for the Windows NT or Windows 2000 Security event log file (in seconds) you can use the Event Viewer to indirectly modify the registry or to apply the registry hack directly:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name: Retention
Type: REG_DWORD
Value: 604,800 default (seconds)
Retention is how long events are must be maintained. Older events can be overwritten but newer events cannot. If a new event needs to be written to the log (security, application. or system) and maxsize has been reached AND there are no events older than the retention period, a log full event occurs.

To determine whether the security events are enabled and what services and applications are enabled to write to the security log, view the Sources value which is dynamic and maintained by the EventLog service:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name: Sources
Type: REG_EXAND_SZ

The actual error messages recorded in the event logs comes for system or application DLLs. The CategoryMessageFile value contains the path and file name of the file that contains the category descriptions for security event log events:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security\[appname]
Name: CategoryMessageFile
Type: REG_EXAND_SZ

EventMessageFile seems to follow exactly the same pattern.

There is an important implication derived from these esoteric settings. The message files are read from DLLs. If you backup an event log in native .evt format and restore it later (say after a service pack), the message text displayed could very well have changed.

Frank Heyne has made available a Windows NT Eventlog FAQ .

Book Recommendation:

A must have for NT administrators in corporate or governmental organizations or anyone being audited by a large outside audit firm.
It is not a secrets type guide but it has excellent sound advice and its used by PriceWaterhouse's auditors as a guide.