change event log location to remote drive?

  • Thread starter Thread starter JAQK
  • Start date Start date
J

JAQK

Is it possible to modify the registry to redirect the event viewer log to a
mapped drive or UNC path, instead of local?

We don't think it's possible, other than by using scripting, but maybe
somebody knows better, thanks.
 
Definitely not recommended for a number of reasons but;

Reg_Expand_Sz

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\File
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\File
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\File

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Is it possible to modify the registry to redirect the event viewer log to
a
| mapped drive or UNC path, instead of local?
|
| We don't think it's possible, other than by using scripting, but maybe
| somebody knows better, thanks.
|
|
 
JAQK said:
Is it possible to modify the registry to redirect the event viewer log to a
mapped drive or UNC path, instead of local?

We don't think it's possible, other than by using scripting, but maybe
somebody knows better, thanks.
Click to expand...

The location of the event logger files is defined here:
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog

I suggest you replace the current entry of
%SystemRoot%\system32\config\SysEvent.Evt

with something like

\\SomeServer\SomeShare\SomeFolder\SysEvent.Evt

Seeing that such a file would not be available until quite late
in the startup process, I suspect that Windows will run into
some severe problems. You are also likely to encounter
permission problems: Windows is likely to use the System
account to write to the Event Logger, and this account
has no access rights to networked resources.
 
This is not the way most people do this. Most people log locally and then
somehow inspect or copy the event log entries via a remote system. One way
to do this is via syslog. There are a number of free windows event log to
syslog solutions, such as ntsyslog. Kiwi has some syslog solutions. You
might consider Snare, which is still free and adds encryption and support
for collecting logs from linux, routers, firewalls, etc.

http://www.intersectalliance.com/projects/SnareWindows/
 
Back
Top