-1

Ultimately I'm trying to have security logs written to a remote storage, 

\\Server-Name\Drive-Letter\File_Name.evtx

For testing I'm trying to move the default log path from %SystemRoot%\System32\Winevt\Logs\Security.evtx to C:\Security.evtx . This however is failing; no errors in logs.

I double checked the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security and the File does point to C:\Security.evtx however logs are still written in the default %SystemRoot%\System32\Winevt\Logs\Security.evtx. I double checked and no group policy is in place for this.

Any suggestions on how to do this? I'm aware of wevtutil however I'd like to accomplish this using Event Viewer.

selachka
  • 1
  • 1
  • 4

1 Answers1

4

You're doing it wrong. Whatever the problem is, the solution is not to relocate the event logs to a network location. You can copy them to a network location, use event forwarding to forward the logs to another computer, or relocate the logs to another local drive, but you can't move them to a network location.

Windows expects and requires the event logging service to be available before it initializes the network stack, so your idea is a non-starter.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209