none
Windows event logs not getting logged to a custom path RRS feed

  • Question

  • On our device we have Windows Embedded standard 7.  We are trying to change the event log path location in Windows using the registry settings, but it is not working.

    For the Application logs we modified the registry settings at the following key - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\File] C:\Eventlogs. Also we changed the path at properties page of Application in Event viewer, but still no use.

    In the system evenets we observed that, after ‘Windows Event Log’ service has started we’re getting an error “The event logging service encountered an error (res=5) while initializing logging resources for channel Application.” Then we’re getting the warring “The event logging service encountered an error (res=5) while opening log file for channel Application. Trying again using default log file path %SystemRoot%\System32\Winevt\Logs\Application.evtx.”

    We have a doubt that, default path %SystemRoot%\System32\Winevt\Logs folder has full permissions for the virtual group ‘eventlog’. If we give customized path inside Winevt we can see that Event logs are generating in given path. outside of Winevt folder, we’re not getting Eventlogs.

    Same procedure works for usual Windows 7 PC. But for our device with WES7, it is not able to write the logs at changed location.

    Please let me know how to resolve the issue. 

    Friday, January 18, 2013 9:10 AM

Answers

  • Just for testing porpuse!

    try this:

    xcopy %SystemRoot%\System32\Winevt\ X:\YOUR-LOCATION\ /eciqhrkoxy
    This command also copies the permissions and all other stuff.

    Afterwards change the registrylocations to X:\YOUR-LOCATION\

    (Formating in this field is a complete mess! thanks microsoft for this IE only messy board.)


    Windows Embedded Developer and Scripting Guy //Germany (Preparing a blog about Windows Embedded Standard)

    Friday, January 18, 2013 8:05 PM
  • This is what I used:

    echo "Setting EWF System Logs to D:\EventLogs\"
    mkdir D:\EventLogs
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application /v File /t REG_EXPAND_SZ /d "D:\EventLogs\Application.evtx" /f
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security /v File /t REG_EXPAND_SZ /d "D:\EventLogs\Security.evtx" /f
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\System /v File /t REG_EXPAND_SZ /d "D:\EventLogs\System.evtx" /f

    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application /v Flags /t REG_DWORD /d 1 /f
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security /v Flags /t REG_DWORD /d 1 /f
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\System /v Flags /t REG_DWORD /d 1 /f

    After this, a reboot and they are all on D...


    =^x^=

    Tuesday, January 22, 2013 3:47 AM

All replies

  • Just for testing porpuse!

    try this:

    xcopy %SystemRoot%\System32\Winevt\ X:\YOUR-LOCATION\ /eciqhrkoxy
    This command also copies the permissions and all other stuff.

    Afterwards change the registrylocations to X:\YOUR-LOCATION\

    (Formating in this field is a complete mess! thanks microsoft for this IE only messy board.)


    Windows Embedded Developer and Scripting Guy //Germany (Preparing a blog about Windows Embedded Standard)

    Friday, January 18, 2013 8:05 PM
  • This is what I used:

    echo "Setting EWF System Logs to D:\EventLogs\"
    mkdir D:\EventLogs
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application /v File /t REG_EXPAND_SZ /d "D:\EventLogs\Application.evtx" /f
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security /v File /t REG_EXPAND_SZ /d "D:\EventLogs\Security.evtx" /f
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\System /v File /t REG_EXPAND_SZ /d "D:\EventLogs\System.evtx" /f

    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application /v Flags /t REG_DWORD /d 1 /f
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security /v Flags /t REG_DWORD /d 1 /f
    reg add HKLM\SYSTEM\CurrentControlSet\services\eventlog\System /v Flags /t REG_DWORD /d 1 /f

    After this, a reboot and they are all on D...


    =^x^=

    Tuesday, January 22, 2013 3:47 AM
  • hm, anyway the winevt folder has special permissions for eventlog. so i guess this is the whole deal as it is similar to spp and store folder (i investigated a lot)
    and btw: it is also possible to use mklink to redirect the physical location.
    I wrote some poor article in combination with ewf. (wesnext.com)


    Windows Embedded Developer and Scripting Guy //Germany (Preparing a blog about Windows Embedded Standard)

    Tuesday, January 22, 2013 8:11 AM
  • Hi Knarz,

    This worked however I was hoping there was an easier way. The issue is this whole setup should be unattended and also the end user will not login to the node. SO I was just wondering at what time will I execute the xcopy command in the setup. 

    Considering your experience can you give some ideas

    Wednesday, January 23, 2013 4:02 AM
  • Hi PE

    Thanks for the reply. I did not add the registry entries from command line however I manually added them to test but that didnt work. Would I need to add any components to make it work. If you are comfortable can you share the answer file so that I can see if there are any packages that I do not have and which you would have added.

    Another point to note is on a standard windows 7 desktop the change in registry for logs work

    Wednesday, January 23, 2013 4:04 AM
  • Hi PE,

    Thanks for your reply. It worked

    Wednesday, January 23, 2013 2:02 PM
  • To automate the process the best way may would be to research the sid from "eventlog" user and grant all permissions to some folder you want to redirect or relocate the log files. the whole deal are the permissions.

    little more dirty way would be saving the permissions from the winevt folder with icacls and appy / restore them on your target folder.


    Windows Embedded Developer and Scripting Guy //Germany (Preparing a blog about Windows Embedded Standard)

    Thursday, January 24, 2013 7:18 AM
  • You're welcome.

    I have that in a script I use from Audit mode. 

    It now has an extra for reboot on bsod as well, because the WES7 default is to halt on BSOD ^^;


    =^x^=

    Monday, April 8, 2013 2:26 AM