Value: %SystemRoot%\system32\config\SecEvent.Evt default
Appication and System registries follow same pattern. Use this to change where the logs are stored. These keys give you the flexibility to put it wherever you want.
To change the maximum size of the Windows NT or Windows 2000 Security event log file (in kilobytes) you can use the Event Viewer to indirectly modify the registry or to apply the registry hack directly:
Value: 512 default=512K
To change the Retention period of security events for the Windows NT or Windows 2000 Security event log file (in seconds) you can use the Event Viewer to indirectly modify the registry or to apply the registry hack directly:
Value: 604,800 default (seconds)
Retention is how long events are must be maintained. Older events can be overwritten but newer events cannot. If a new event needs to be written to the log (security, application. or system) and maxsize has been reached AND there are no events older than the retention period, a log full event occurs.
To determine whether the security events are enabled and what services and applications are enabled to write to the security log, view the Sources value which is dynamic and maintained by the EventLog service:
The actual error messages recorded in the event logs comes for system or application DLLs. The CategoryMessageFile value contains the path and file name of the file that contains the category descriptions for security event log events:
EventMessageFile seems to follow exactly the same pattern.
There is an important implication derived from these esoteric settings. The message files are read from DLLs. If you backup an event log in native .evt format and restore it later (say after a service pack), the message text displayed could very well have changed.
Event Log Tips:
Archiving Event Logs
Event Log explained
How to Delete Corrupt Event Viewer Log Files
Restrict access to Application and System event logs
Security Event Descriptions
Security Events Logon Type Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List
Frank Heyne has made available a Windows NT Eventlog FAQ .