none
Security event log doesn't save in event viewer RRS feed

  • Question

  • In a WinServer2003 environment with XP workstations; weekly security event logs are saved initially to the local PCs then copied to a location on the server for archival purposes; using mmc to access all PCs on the network.

    Issue: Using Clear all events and selecting save to local hard drive works fine on all but the local machine. The log appears to save, but is nowhere to be found after clearing the event log. Again this is only on the local machine.

    I tried saving the event log to the desktop, and verifed the logfile was there, then cleared the event log. Copied the desktop file to the folder on the local hard drive like all the other remote PCs, but when attempting to later copy the log files individually to the server, the file for the PC from which I did the audits is gone. Not in the recycle bin. Searched all drives on the local PC and came up empty.

    I've seen one other report of this happening, but no answers. http://www.pcreview.co.uk/forums/event-log-not-saving-local-machine-after-use-over-network-t3570351.html

    Anyone here have a lead?

    Thanks!

    Wednesday, February 1, 2012 4:18 PM

Answers

  • Hi Kevin,

    Thanks for your update.

    I suggest you save the .evt file on local computer and copy it to server, then clear the event log. In this order, the problem could be avoided.

    Regards,
    Bruce


     

    • Marked as answer by Bruce-Liu Tuesday, February 28, 2012 1:53 AM
    Thursday, February 9, 2012 2:24 AM

All replies

  • Hi,

     

    As far as I know, if we use Event Viewer console to access other computer’s event log, it can be read but cannot be saved as .evt format on a network place.

     

    Currently, I suggest you create a shared folder on each Windows XP workstations. Then, use Event Viewer console on Windows Server 2003 to connect Windows XP workstations, save the security log on the shared folder and copy to server.

     

    If the file you saved disappears again when you trying to copy it, I suggest you enable audit on it, reproduce the problem and check what has happened from security log. For more information about how to audit a file, please refer to the following article:

     

    How to audit user access of files, folders, and printers in Windows XP

    http://support.microsoft.com/kb/310399/en-us

     

    Regards,

    Bruce

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 2, 2012 3:54 AM
  • Thanks for your reply, Bruce.

    The issue I'm having is the disappearance of the .evt file on the "local machine" only.

    No matter which machine I'm working from as the local machine, whether workstation or server, once I clear the event file and move to the next machine the .evt file disappears from the machine from where I'm physically performing the audits.

    I'm already performing the steps you suggest in your 3rd paragraph, only the final step is to copy the .evt files from the networked PCs to a folder on the server. It's at that point that I find that the file is missing from the "audtiing" machine.

    Thanks,

    Kevin

    Wednesday, February 8, 2012 8:51 PM
  • Hi Kevin,

    Thanks for your update.

    I suggest you save the .evt file on local computer and copy it to server, then clear the event log. In this order, the problem could be avoided.

    Regards,
    Bruce


     

    • Marked as answer by Bruce-Liu Tuesday, February 28, 2012 1:53 AM
    Thursday, February 9, 2012 2:24 AM
  • Thanks Bruce,

    That's what I've had to start doing as a work-around (hate that phrase).

    Thanks again,

    Kevin

    Monday, February 27, 2012 7:50 PM