How To Preserve Your Event Log Files On Frozen Machines

How To Preserve Your Event Log Files On Frozen MachinesSo after posting a tip to a user who was working with us on a beta version of Deep Freeze I was asked to wrap that tip in a user story and send it over to our blog for the rest of our customers. After spending several days looking at a blank piece of paper I still have yet to get a user story together that did not seem forced.

Rats.

So, I suppose that I’ll just toss the tip out there – I’m about to show you how to move your Logs on a Windows machine to a location where they can be saved between reboots.

Now you may be asking why you should care about moving the event logs and that’s where I got in trouble with the user story. The main reason for moving the event logs is for review when things break and nobody likes writing about problems. If you don’t move them to a thawed location then any time you have a problem and the computer reboots (as it will if you have a BSOD) you will lose basic diagnostic info that helps point to where the fault is occurring.

The general process to move your event logs is:

1.       Thaw the computer.

2.       Navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog

3.       Open the subkey that contains the event log you want to redirect, such as Application.

4.       On the right pane, you will find a value named File (type REG_EXPAND_SZ), which contains the pathname and filename to the log file. You can provide a new pathname and filename here (preferably to a thawed location), but you should use the .EVT file extension.

5.       Close the Registry and restart the computer.

Now this process assumes that you have a thawed location on your local machine that you can move the logs to. I would strongly suggest that this be a physical partition on your system as opposed to a ThawSpace since the logging service can start before our ThawSpace mounts, resulting in errors showing up.

This information is also available here:

http://support.faronics.com/Knowledgebase/Article/View/318/8/how-do-i-retain-the-event-logs-on-a-windows-computer

If you are working more with servers you can also look at forwarding your event log data to a central server, that’s a bit more involved so I won’t be putting the entire instructions here, just a nice link that can point you in the right direction.

http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx

Scott Cornell

When he’s not knee deep in blogging and all things tech, Scott spends his free time playing ultimate Frisbee and watching foreign films. An expert in emerging tech trends, Scott always has his ear to ground for breaking news related to IT security.