KevinITadmin
asked on
Restore event viewer from system state backup
I need to view some auditing logs from the security section of my event viewer. The current event log was overwritten before the day I need to review. I'm wondering if I can pull the event viewer from last weekend's backup through Backup Exec11d to view last weeks events. The Saturday Full backup is set to include System State (Registry, System Files, SYSVOL, etc).
The file I need is "C:\WINDOWS\system32\confi
Can I pull the event viewer out of that backup? I don't want to restore the complete registry or system files to overwrite the current system. I only need to view the event viewer as it was on Saturday. If this is possible, please advise.
Thanks
The file I need is "C:\WINDOWS\system32\confi
Can I pull the event viewer out of that backup? I don't want to restore the complete registry or system files to overwrite the current system. I only need to view the event viewer as it was on Saturday. If this is possible, please advise.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Quick update, I did a manual restore rather than using the Wizard and I was able to use the file redirection to restore to an alternate location.
The system state restored successfully but apparantly did not backup the event log files. It lets me browse the restored files to "C:\WINDOWS\system32" but there is no "config" folder where Windows stores the logs.
I think that was my only hope.
The system state restored successfully but apparantly did not backup the event log files. It lets me browse the restored files to "C:\WINDOWS\system32" but there is no "config" folder where Windows stores the logs.
I think that was my only hope.
You are not exlicitly backing up the "C:\WINDOWS\system32" folder? If so, you should be able to drill down to the exact file from Saturday's job and restore it.
Secondly... are you using Volume Shaow Copies? If so, that file will be recoverable from there quite easily. If not, let me strongly advise you to enable this feature. It uses spare disk space, and makes restores like this trivial. Just right-click on your drive letters under My Computer, select Properties, and enable it from the Shadow Copies tab. You do not need a lot of free space on the drive to do this, like you might think, as it is really making copies of the hard links, not the files themselves.
Secondly... are you using Volume Shaow Copies? If so, that file will be recoverable from there quite easily. If not, let me strongly advise you to enable this feature. It uses spare disk space, and makes restores like this trivial. Just right-click on your drive letters under My Computer, select Properties, and enable it from the Shadow Copies tab. You do not need a lot of free space on the drive to do this, like you might think, as it is really making copies of the hard links, not the files themselves.
ASKER
I did not specifically backup the C:\windows\system32" directory. When I restored the "system state" from saturdays backup, I browsed the contents of the restore and under a folder called "system files" was the Windows directory. I also searched the contents of the restored system state for (*.evt) and nothing came up. Apparently system state does not include event logs.
I've never used Volume shadow copy but I will enable it and play around with it.
I've never used Volume shadow copy but I will enable it and play around with it.
ASKER
1) Overwrite file on disk
2) Skip it, do not overwrite the file on disk
3) Overwrite the file on disk only if it is older
I've attached a screenshot as well.
restore-options.JPG