3

How can I relocate the Application, Security, and System event logs in Windows Server 2008 R2? The KB for 2003 does not work, neither does going into the properties of each log and changing the path. By all accounts it should work, but it simply does not move the event log.

  • That should work, thats how I setup my logs. Just pre-create a directory that you want the logs to be stored in the change that path. I.E.: F:\EVTLogs. Then when you edit the properties just replace the %System%. You will then see each of the Windows logs populate in that new directory. – Chadddada May 10 '11 at 16:57

3 Answers3

3

You can do this from the GUI or command line.

  1. Start the Server Manager Diagnostics
  2. Event Viewer
  3. Windows Logs
  4. Right click the event log of your choosing
  5. Change the “Log Path” variable to an existing dir / file name

The registry key that sets the value is HKLM\SYSTEM\ControlSet001\Services\eventlog\$LogName

You can modify it as well by using the following commands (modify to fit your environment)

reg add “HKLM\SYSTEM\CurrentControlSet\Services\eventlog\Application” /f /v File /t REG_SZ /d 
   G:\Logs\Application.evtx

reg add ”HKLM\SYSTEM\CurrentControlSet\Services\eventlog\Application”/f /v Flags /t REG_DWORD 
  /d 0x00000001

Source : Change Log file location in Windows Server 2008 R2 via registry

Holocryptic
  • 5,665
  • 2
  • 29
  • 37
  • AFAIK, CurrentControlSet points to the ControlSet that is currently in use. Whereas ControlSet001, ControlSet002 are just revisions created. CurrentControlSet is selected at boot time from the various ControlSetXXX present based on the boot options. So I think both keys should be added to CurrentControlSet – Ganesh R. May 10 '11 at 16:51
  • @Ganesh I think you're right. It might be a typo on the site I sourced. I've changed it in my answer. – Holocryptic May 10 '11 at 17:26
  • 2
    This is correct. The only step I was missing (which doesn't appear in any of the tutorials) was to make sure Local Service had permissions to create the evtx files. –  May 10 '11 at 17:32
2

The registry change didn't work for me but you can also execute the following command in power shell

    wevtutil sl application /lfn:"D:\MyDir\Application.evtx"
Das
  • 21
  • 1
1

If you want to do it via GPO or local Policy you can do it via computer configuration\administrative templates\windows components\event log service

Just make sure in the "control the location" setting you enter so something like <drive letter>\<folder>\<name of the log>.evtx or it won't work without returning an error. Took me some time to find it out.

Diamond
  • 9,001
  • 3
  • 24
  • 38
Totalcontrol
  • 101
  • 4