Solved

Restore event viewer from system state backup

Posted on 2008-06-10
5
4,920 Views
Last Modified: 2013-12-01
I need to view some auditing logs from the security section of my event viewer.  The current event log was overwritten before the day I need to review.  I'm wondering if I can pull the event viewer from last weekend's backup through Backup Exec11d to view last weeks events.  The Saturday Full backup is set to include System State (Registry, System Files, SYSVOL, etc).  

The file I need is "C:\WINDOWS\system32\config\SecEvent.Evt"

Can I pull the event viewer out of that backup?  I don't want to restore the complete registry or system files to overwrite the current system.  I only need to view the event viewer as it was on Saturday.  If this is possible, please advise.


Thanks
0
Comment
Question by:KevinITadmin
  • 3
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
patrickfromsc earned 250 total points
ID: 21754876
If that folder was set to be backed up, then that file should be available.  When you configure your restore job, specifiy for it to restore to an alternate location... like c:\temp.  Then dig down into the catalog and locate that file.  The restore should only pull that file from the media, and should restore it safely to the alternate location.

Regards,
PfSC
0
 

Author Comment

by:KevinITadmin
ID: 21754949
unfortunately I cannot select to restore to an alternate location.   Here are my options

1)  Overwrite file on disk
2)  Skip it, do not overwrite the file on disk
3)  Overwrite the file on disk only if it is older

I've attached a screenshot as well.
restore-options.JPG
0
 

Author Comment

by:KevinITadmin
ID: 21755091
Quick update, I did a manual restore rather than using the Wizard and I was able to use the file redirection to restore to an alternate location.  

The system state restored successfully but apparantly did not backup the event log files.  It lets me browse the restored files to "C:\WINDOWS\system32"  but there is no "config" folder where Windows stores the logs.  

I think that was my only hope.
0
 
LVL 3

Expert Comment

by:patrickfromsc
ID: 21755484
You are not exlicitly backing up the "C:\WINDOWS\system32" folder?  If so, you should be able to drill down to the exact file from Saturday's job and restore it.

Secondly... are you using Volume Shaow Copies?  If so, that file will be recoverable from there quite easily.  If not, let me strongly advise you to enable this feature.  It uses spare disk space, and makes restores like this trivial.  Just right-click on your drive letters under My Computer, select Properties, and enable it from the Shadow Copies tab.  You do not need a lot of free space on the drive to do this, like you might think, as it is really making copies of the hard links, not the files themselves.
0
 

Author Comment

by:KevinITadmin
ID: 21755546
I did not specifically backup the C:\windows\system32" directory.  When I restored the "system state" from saturdays backup, I browsed the contents of the restore and under a folder called "system files" was the Windows directory.   I also searched the contents of the restored system state for (*.evt) and nothing came up.  Apparently system state does not include event logs.

I've never used Volume shadow copy but I will enable it and play around with it.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to update Firmware and Bios in Dell Equalogic PS6000 Arrays and Hard Disks firmware update.
Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question