Event Viewer Logs Location Windows Server 2016

What are Event Viewer logs in Windows Server 2016?

Windows Event Viewer logs are an important tool that displays a comprehensive record of system events and activities.

These logs usually are categorized into distinct types, such as Application, Security, System, Setup, and forwarded events, each offering insights into specific aspects of server performance. Events within these logs are classified based on severity levels and categories, providing a detailed account of the server's operational state.

What is the use of Event Viewer Logs?

Event Viewer logs can play a crucial role in system monitoring and troubleshooting in Windows environments.  Here's a breakdown of the importance of Event Viewer logs in these critical aspects:

• Identifying Issues: Windows Event logs help identify potential issues, errors, and warnings within the system. They provide insights into system crashes, application failures, security breaches, and other events that may impact the server's performance.
• Real-time Monitoring: You can monitor Windows Server logs location. By tracking events as they occur, they can promptly respond to critical situations and take necessary actions to mitigate any potential problems.
• Historical Analysis: Event Viewer logs maintain a historical record of system events, enabling administrators to analyze past occurrences and identify patterns. This analysis aids in diagnosing recurring issues and implementing proactive measures to prevent future problems.
• Security Monitoring: Event Viewer logs offer valuable insights into security-related events such as logon attempts, account management, privilege changes, and suspicious activities. These logs help you detect and respond to security breaches promptly.

The Event Viewer logs location in Windows Server 2016 and how to check

By default, you can find the event viewer logs in the path:%SystemRoot%\System32\winevt\Logs

If you want to check the event logs, you can follow the steps below.

Step 1. Press the Windows key and R simultaneously to open the Run box.

Step 2. Type "eventvwr" in the Run dialog box and click OK.

Step 3. Expand the Windows logs menu under the Event Viewer.

Step 4. Then click on an event log to view.

How to move Event Viewer log files to another location

Moving Event Viewer log files to another location in Windows Server 2016 involves configuring the log file storage path through Event Viewer settings. Follow these step-by-step instructions:

Method 1. Create an event log folder in another location

1. Begin by establishing a new folder, for instance, at the location C:\EventLogs. Right-click on the created folder and access its Properties.

2. Navigate to the Security tab and opt for the Advanced option to access special permissions or advanced settings.

Note: The folder inherently enables "inheritance" by default.

3. Choose Change to set the Owner as SYSTEM, and then proceed to Disable Inheritance by following these steps:

4. Upon doing so, a prompt will appear, allowing you to convert or remove inherited permissions. Select the option to Convert inherited permissions into explicit permissions on this object, resulting in the explicit establishment of the same permissions on the folder.

Note: If you wish to create subfolders for the logs, mark the Replace all child object permission entries with inheritable permissions entries from this object option. This ensures that permissions set at the parent level are uniformly applied to all subfolders and files.

5. Adjust the permissions to align with the correct settings for the folder, and carefully inspect the Applies to column. The permissions should mirror the advanced permissions of the default folder (%SystemRoot%\System32\winevt\Logs), where the Event Viewer logs are stored. It is crucial to ensure that Authenticated Users possess only Read permission for This folder and subfolders.

Note: To include the Event Log user, proceed to the Security tab within the properties dialog box, and adhere to these steps:
● Select Edit > Add.
● Select Locations, select the local computer name, and then confirm with OK.
● Type NT SERVICE\EventLogin Enter the object names to select and select Check Names. Verify that the name resolves to Event Log, and then finalize by selecting OK.

Ensure Full Control is activated under Permissions for Event Log for the Event Log user.

Method 2. Move Event Viewer log files to another location

1. Open the Event Viewer. In the left pane under Windows Logs, right-click on the desired log name (e.g., System) and choose Properties.

2. Adjust the Log path value to match the location of the designated folder, keeping the log file name appended at the path's end (e.g., C:\EventLogs\System.evtx).

3. Select Clear Log, then proceed to Save and Clear to store the event log files in an alternative location. Select Apply > OK.

Note: Verify the presence of event logs in the relocated folder. If they are not found, restart the system to ensure proper relocation.

Method 3. Move Event Viewer log files by using Powershell

You can also employ PowerShell for this task, wherein the Security event logs will be transferred to the directory C:\Logs.

$originalFolder = "$env:SystemRoot\system32\winevt\Logs"
$targetFolder = "C:\logs"
$logName = "Security"

$originalAcl = Get-Acl -Path $originalFolder -Audit -AllCentralAccessPolicies
Set-Acl -Path $targetFolder -AclObject $originalAcl -ClearCentralAccessPolicy
$targetAcl = Get-Acl -Path $targetFolder -Audit -AllCentralAccessPolicies
$targetAcl.SetOwner([System.Security.Principal.NTAccount]::new("SYSTEM"))

New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\$logName" -Name "AutoBackupLogFiles" -Value "1" -PropertyType "DWord"
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\$logName" -Name "Flags" -Value "1" -PropertyType "DWord"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\$logName" -Name "File" -Value "$targetFolder\$logName.evtx"

Professional and reliable software for your Windows Server security

Enhancing the security of your Windows Server 2016 goes beyond managing Event Viewer logs location Windows Server 2016. In the realm of Windows Server security, AOMEI Cyber Backup emerges as a professional and reliable backup solution. Offering a comprehensive suite of features, AOMEI Cyber Backup ensures the integrity and confidentiality of your Windows Server environment.

From real-time threat detection to secure data encryption, this software is designed to fortify your server against evolving cyber threats. As organizations navigate the complexities of data security, AOMEI Cyber Backup stands out as a robust choice for safeguarding Windows Server 2016.

✧Perpetual Free: No time limit for AOMEI Cyber Backup Free Edition.
✧Easy-to-use: With the user-friendly interface, connect, create task, and protect will be completed with a few clicks.
✧Space Optimization: By selecting exactly which areas you need to back up, you can conserve your storage space even more.
✧Instant Recovery: In event of a catastrophic failure, this software enables instant recovery to protect your hard disk against data loss.

You can click the following button to download the freeware to enjoy these benefits:

* Both free and paid version of AOMEI Cyber Backup support Windows Server 2016/2019/2022/11,10,8,7.

Steps to use AOMEI Cyber Backup to secure Windows Server

Step 1. Prerequisite for backup: Please download and install the latest version of AOMEI Cyber Backup Agent to your computer.

Step 2. Bind Device: Navigate to Source Device >> Windows. Otherwise, you just need click + Add Windows Device to add your device.

Step 3. Create Backup Task: Click Backup Task >> + Create New Task >> Partition Backup. Then specify the backup details, such as: Task Name, Device Name, Backup Content, Target, and Schedule as you need.

Step 4. Start Backup: You can select Add the schedule and start backup now, or Add the schedule only.

Step 5. Start Restore: From the created backup tasks, locate the backup task you want to restore and click … >> Restore. Choose to Restore to original location to create the same data directly from the backup.

Conclusion

This post tells the Event Viewer logs location in Windows Server 2016 and how to move it. Hope this article can really help you to manage your system and activities on your server. In addition, it is really important to create backups for your event viewer. AOMEI Cyber Backup is a professional backup solution and help you easily backup your critical files and system.