How to move Event Viewer log files to another location

This article describes how to move Microsoft Windows 2000 and Windows Server 2003 Event Viewer log files to another location on the hard disk.

Original product version: В Windows Server 2012 R2
Original KB number: В 315417

Summary

Windows 2000 and Windows Server 2003 record events in the following logs:

The application log contains events that are logged by programs. Events that are written to the application log are determined by the developers of the software program.

The security log contains events such as valid and invalid logon attempts. It also contains events that are related to resource use, for example, when you create, open, or delete files. You must be logged on as an administrator or as a member of the Administrators group to turn on, to use, and to specify which events are recorded in the security log.

The system log contains events that are logged by Windows system components. These events are predetermined by Windows.

Directory Service log

The Directory Service log contains Active Directory-related events. This log is available only on domain controllers.

The DNS Server log contains events that are related to the resolution of DNS names to or from Internet protocol (IP) addresses. This log is available only on DNS servers.

File Replication Service log

The File Replication Service log contains events that are logged during the replication process between domain controllers. This log is available only on domain controllers.

By default, Event Viewer log files use the .evt extension and are located in the %SystemRoot%\System32\Config folder.

Log file name and location information is stored in the registry. You can edit this information to change the default location of the log files. You may want to move log files to another location if you require more disk space in which to log data.

Move Event Viewer log files to another location

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

To move Event Viewer log files to another location on the hard disk, follow these steps:

Click Start, and then click Run.

In the Open box, type regedit, and then click OK.

Locate and click the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog .

Click the subkey that represents the event log that you want to move, for example, click Application.

In the right pane, double-click File.

Type the complete path to the new location (including the log file name) in the Value data box, and then click OK.

For example, if you want to move the application log (Appevent.evt) to the Eventlogs folder on the E drive, type e:\eventlogs\appevent.evt.

Repeat steps 4 through 6 for each log file that you want to move.

Click Exit on the Registry menu.

Restart the computer.

View the name and location of Event Viewer log files

To view the name and the location of Event Viewer log files, follow these steps:

Click Start, point to Settings, and then click Control Panel.

Double-click Administrative Tools, and then double-click Event Viewer.

Alternatively, open the snap-in that contains Event Viewer.

Click to expand Event Viewer (if it is not already expanded).

Right-click the log that you want to view, and then click Properties.

Click the General tab.

The name and the location of the log file is displayed under Log name.

References

For more information about how to view and manage logs in Event Viewer, see the following article:

For more information about how to use Event Viewer, see Event Viewer Help. To do so, click the Action menu in Event Viewer, and then click Help.

Windows Setup Log Files and Event Logs

Windows® Setup creates log files for all actions that occur during installation. If you are experiencing problems installing Windows, consult the log files to troubleshoot the installation.

WindowsВ Setup log files are available in the following directories:

Log location before Setup can access the drive.

Log location when Setup rolls back in the event of a fatal error.

Log location of Setup actions after disk configuration.

Used to log Plug and Play device installations.

Location of memory dump from bug checks.

Location of log minidumps from bug checks.

Location of Sysprep logs.

WindowsВ Setup Event Logs

WindowsВ Setup includes the ability to review the WindowsВ Setup performance events in the Windows Event Log viewer. This enables you to more easily review the actions that occurred during WindowsВ Setup and to review the performance statistics for different parts of WindowsВ Setup. You can filter the log so as to view only relevant items that you are interested in. The WindowsВ Setup performance events are saved into a log file that is named Setup.etl, which is available in the %WINDIR%\Panther directory of all installations. To view the logs, you must use the Event Viewer included with the Windows media that corresponds to the version of the customized image that you are building.

To view the logs on a computer that does not include the corresponding kit, you must run a script from the root of the media that installs the Event Trace for Windows (ETW) provider. From the command line, type:

where D is the drive letter of the Windows DVD media.

To view the WindowsВ Setup event logs

Start the Event Viewer, expand the Windows Logs node, and then click System.

In the Actions pane, click Open Saved Log and then locate the Setup.etl file. By default, this file is available in the %WINDIR%\Panther directory.

The log file contents appear in the Event Viewer.

To Export the log to a file

From the command line, use the Wevtutil or Tracerpt commands to save the log to an .xml or text file. For information about how to use these tools, see the command-line Help. The following commands show examples of how to use the tools:

How to collect Windows Information Protection (WIP) audit event logs

Applies to:

• WindowsВ 10, version 1607 and later
• WindowsВ 10 Mobile, version 1607 and later

Windows Information Protection (WIP) creates audit events in the following situations:

If an employee changes the File ownership for a file from Work to Personal.

If data is marked as Work, but shared to a personal app or webpage. For example, through copying and pasting, dragging and dropping, sharing a contact, uploading to a personal webpage, or if the user grants a personal app provides temporary access to a work file.

If an app has custom audit events.

Collect WIP audit logs by using the Reporting configuration service provider (CSP)

Collect the WIP audit logs from your employee’s devices by following the guidance provided by the Reporting configuration service provider (CSP) documentation. This topic provides info about the actual audit events.

The Data element in the response includes the requested audit logs in an XML-encoded format.

User element and attributes

This table includes all available attributes for the User element.

Log file location	Description

Attribute	Value type	Description
UserID	String	The security identifier (SID) of the user corresponding to this audit report.
EnterpriseID	String	The enterprise ID corresponding to this audit report.

Log element and attributes

This table includes all available attributes/elements for the Log element. The response can contain zero (0) or more Log elements.

Attribute/Element	Value type	Description
ProviderType	String	This is always EDPAudit.
LogType	String	Includes: DataCopied. Work data is copied or shared to a personal location. ProtectionRemoved. WIP protection is removed from a Work-defined file. ApplicationGenerated. A custom audit log provided by an app.
TimeStamp	Int	Uses the FILETIME structure to represent the time that the event happened.
Policy	String	How the work data was shared to the personal location: CopyPaste. Work data was pasted into a personal location or app. ProtectionRemoved. Work data was changed to be unprotected. DragDrop. Work data was dropped into a personal location or app. Share. Work data was shared with a personal location or app. NULL. Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access).
Justification	String	Not implemented. This will always be either blank or NULL. Note Reserved for future use to collect the user justification for changing from Work to Personal.
Object	String	A description of the shared work data. For example, if an employee opens a work file by using a personal app, this would be the file path.
DataInfo	String	Any additional info about how the work file changed: A file path. If an employee uploads a work file to a personal website by using Microsoft Edge or Internet Explorer, the file path is included here. Clipboard data types. If an employee pastes work data into a personal app, the list of clipboard data types provided by the work app are included here. For more info, see the Examples section of this topic.
Action	Int	Provides info about what happened when the work data was shared to personal, including: 1. File decrypt. 2. Copy to location. 3. Send to recipient. 4. Other.
FilePath	String	The file path to the file specified in the audit event. For example, the location of a file that’s been decrypted by an employee or uploaded to a personal website.
SourceApplicationName	String	The source app or website. For the source app, this is the AppLocker identity. For the source website, this is the hostname.
SourceName	String	A string provided by the app that’s logging the event. It’s intended to describe the source of the work data.
DestinationEnterpriseID	String	The enterprise ID value for the app or website where the employee is sharing the data. NULL, Personal, or blank means there’s no enterprise ID because the work data was shared to a personal location. Because we don’t currently support multiple enrollments, you’ll always see one of these values.
DestinationApplicationName	String	The destination app or website. For the destination app, this is the AppLocker identity. For the destination website, this is the hostname.
DestinationName	String	A string provided by the app that’s logging the event. It’s intended to describe the destination of the work data.
Application	String	The AppLocker identity for the app where the audit event happened.

Examples

Here are a few examples of responses from the Reporting CSP.

File ownership on a file is changed from work to personal

1 1 0 SyncHdr 200 2 1 2 Replace 200 3 1 4 Get 200 4 1 4 ./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs

Windows 7 — Move location of Eventlog

I am having a particular nasty problem of my main system drive ‘disappearing’ all of the sudden while the system is running. The vendor somewhat knows about this but has not managed to fix it completely over multiple fw iterations. Problems I have with the support is that I cannot provide any particular system log files/entries to further analyse what might have been going on because, well — windows cannot write to its ‘lost’ drive before bsod’ing.

Is there any way to configure where Windows 7 stores its event logs so that I could specify a second physical hdd?

1 Answer 1

This is from Win2000 and Win2003 server but is in the same regedit.exe place in Win7. This image is from a Win7OS 32bit SP1. I have not tried to set it to a different place, run a test nor have I been able to find the documentation for Win7.

Log file name and location information is stored in the registry. You can edit this information to change the default location of the log files:

For example, if you want to move the application log (Appevent.evt) to the Eventlogs folder on the E drive, type e:\eventlogs\appevent.evt .

The event storage site is:

If you wish to open this , ou will have to download a file program to open it. It is good for Win2000, Server 2003, XP, Vista, Win7.

Copy and paste %SystemRoot%\System32\Config into ‘Search programs and files’ of Win7 then click on the file. Follow the links to the download page to use a file program to open it.

In the file association page, select from ‘Sponsored sites’ in the gray area at bottom.

You can also view your events logs from another computer or possibly from a live CD/DVD. I do not know if this will work when your system is playing up:

Event Viewer -> Action -> Connect to another computer

Also, you may wish to:

Open Event Viewer -> Action or help -> click on help

This will open the Microsoft Management Console -> Event Viewer -> Event Viewer; ‘how to. ‘ -> Manage event logs -> Set max. logs size

(You may wish to make larger- default size 512kbs and then writes over itself, it increases in 64kb amounts, such as 8 x 64kb = 512kb)