Old "modified" dates on Event viewer files

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Greetings,

Our network is based on Windows 2000 Domain, and our Active Directory Domain
Controller runs on Windows 2000 Standard Server with SP3.

When we look at our Security Event Viewer on the Domain Controller, it is
working fine and capturing all the security events.
However, the Security Event Viewer file
(\winnt\system32\config\secevent.evt) has a very old "modified" date, and yet
the file is continually updated with new entries.
Why is that?

We also see the same problem with Application, Directory Services, DNS
Server, and File Replication Service Event Viewer files. Their files have
old "modified" dates.
Since those files are continuously updates, shouldn't they have the current
& present "modified" dates?

Only the file of System Event Viewer (sysevent.evt) that shows the current
"modified" date.

Could someone please shed some light about this?

Thank you.
 
This is normal. Sometimes the file modified dates don't get updated
until the files get closed. For files that are constantly in use, such
as the eventlogs and many other log files, the files don't get closed,
and therefore, the displayed modified date doesn't change.
If you were to restart the eventlog service, you'd notice the dates on
those files change. Same goes for logs belonging to other services.

Regards,
Rick
 
Hi Rick,

Thank you very much for the information. It surely helps a lot.

May I please ask another question?
Is restarting the services (that relate to Event Viewer files) the only way
to close and re-open those files, so the files get current "modified" date?
Is there any other way to close and reopen those files?

The reason I ask this is because we have a backup system that only does
incremental backup (sound strange, huh? but it is true). Files that do not
get modified (that is, the "modified" date does not change), it would not get
backed up. The backup system only backs up files that have been changed and
have new "modified" dates.

Again, thank you very much for any information you could give.

Sincerely,
Ibnu
 
You can't actually stop the event log services. They're critical ones that
other services depend on. The only way you can restart the event log is to
reboot the server...

However, there's another solution to your problem...Scripting the backup to
a file of the event logs so that your backup app can get these flat, closed,
files.

Here's the script that will do this:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile")
For Each objLogfile in colLogFiles
strBackupLog = objLogFile.BackupEventLog _
("c:\scripts\" & objLogFile.LogFileName & ".evt")
objLogFile.ClearEventLog()
Next

This was written by the MS Scripting Guys:
--
http://www.microsoft.com/resources/documentation/windows/2000/server/scriptguide/en-us/default.mspx

Hope this helps you.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
Paul,

Thank you very much for the information.
It is helpful, and I will give it a try.

Thank you again.
Ibnu
 
Back
Top