Tech Tips: How to Move Your Event Logs in Windows Server 2003

Windows Server 2003 stores event logs by default on the root directory at the location C:WINDOWSsystem32configEventLogsfilename.EVT, sometimes it is necessary to move these files to another location. This isn’t a hard process but it does require editing the registry so it can be tricky and needs to be done with care.

First step is to decide a new location for the event logs, you can put these anywhere you want, just make sure you note the location. In my example I will move them to my secondary hard drive named D:, I have also created a folder just for the logs called EventLogs. Once you have decided on a location you will want to copy all the existing event logs over so that you don’t lose any of the Logs. To do this go to the directory C:WINDOWSsystem32configEventLogs, in here you should find all your log files, the three that we are most concerned with our System, Security, and Application. You might have other log files stored here that you want to move, if this is the case then follow the same steps as you do with the other three log files.

Now copy all of the log files you wish to your other directory, now my log files are in my D:EventLogs folder.

Now you can go to Start gt; gt;Run and when the new window opens type REGEDIT and press enter. Once inside the registry you will want to expand down to the registry key

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlog

Next click the sub key that represents the log file you want to move, I am going to move the Application log file first so you guessed it I click on the folder named Application. When you click on the sub key you will notice that the reading pane on the right changes and there are some keys inside it now, double click on the one labeled File. This will open the property page of the File key, you will want to change this to the new location of your log files, so I put D:EventLogsAppEvent.Evt, and the AppEvent.Evt is the log files name which is required here. Edit the remaining Log file keys with your new directory. The three main log file registry keys and edits should be the following.

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogApplication
  • D:Folder_NameAppEvent.Evt (the D: is the drive letter where you put the new folder)
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogSystem
  • D: Folder_Name SysEvent.Evt (the D: is the drive letter where you put the new folder)
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogSecurity
  • D: Folder_Name SecEvent.Evt (the D: is the drive letter where you put the new folder)

Once you are done making these edits you can close the registry editor and reboot your system. When it comes back up test the event logs to be sure they are still working. You can check them by right-clicking “My Computer” and choosing manage. Click on Event Viewer and make sure the logs are showing an event that happened recently. With just rebooting your system most logs will have a new event in them. If it seems to be working then you can go to C:WINDOWSsystem32configEventLogsfilename.EVT and delete all of the log files you moved. Now your system will store the log files in the new location. Hope this was helpful.