?
Solved

Restore event viewer from system state backup

Posted on 2008-06-10
5
Medium Priority
?
5,009 Views
Last Modified: 2013-12-01
I need to view some auditing logs from the security section of my event viewer.  The current event log was overwritten before the day I need to review.  I'm wondering if I can pull the event viewer from last weekend's backup through Backup Exec11d to view last weeks events.  The Saturday Full backup is set to include System State (Registry, System Files, SYSVOL, etc).  

The file I need is "C:\WINDOWS\system32\config\SecEvent.Evt"

Can I pull the event viewer out of that backup?  I don't want to restore the complete registry or system files to overwrite the current system.  I only need to view the event viewer as it was on Saturday.  If this is possible, please advise.


Thanks
0
Comment
Question by:KevinITadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
patrickfromsc earned 750 total points
ID: 21754876
If that folder was set to be backed up, then that file should be available.  When you configure your restore job, specifiy for it to restore to an alternate location... like c:\temp.  Then dig down into the catalog and locate that file.  The restore should only pull that file from the media, and should restore it safely to the alternate location.

Regards,
PfSC
0
 

Author Comment

by:KevinITadmin
ID: 21754949
unfortunately I cannot select to restore to an alternate location.   Here are my options

1)  Overwrite file on disk
2)  Skip it, do not overwrite the file on disk
3)  Overwrite the file on disk only if it is older

I've attached a screenshot as well.
restore-options.JPG
0
 

Author Comment

by:KevinITadmin
ID: 21755091
Quick update, I did a manual restore rather than using the Wizard and I was able to use the file redirection to restore to an alternate location.  

The system state restored successfully but apparantly did not backup the event log files.  It lets me browse the restored files to "C:\WINDOWS\system32"  but there is no "config" folder where Windows stores the logs.  

I think that was my only hope.
0
 
LVL 3

Expert Comment

by:patrickfromsc
ID: 21755484
You are not exlicitly backing up the "C:\WINDOWS\system32" folder?  If so, you should be able to drill down to the exact file from Saturday's job and restore it.

Secondly... are you using Volume Shaow Copies?  If so, that file will be recoverable from there quite easily.  If not, let me strongly advise you to enable this feature.  It uses spare disk space, and makes restores like this trivial.  Just right-click on your drive letters under My Computer, select Properties, and enable it from the Shadow Copies tab.  You do not need a lot of free space on the drive to do this, like you might think, as it is really making copies of the hard links, not the files themselves.
0
 

Author Comment

by:KevinITadmin
ID: 21755546
I did not specifically backup the C:\windows\system32" directory.  When I restored the "system state" from saturdays backup, I browsed the contents of the restore and under a folder called "system files" was the Windows directory.   I also searched the contents of the restored system state for (*.evt) and nothing came up.  Apparently system state does not include event logs.

I've never used Volume shadow copy but I will enable it and play around with it.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

VM backups can be lost due to a number of reasons: accidental backup deletion, backup file corruption, disk failure, lost or stolen hardware, malicious attack, or due to some other undesired and unpredicted event. Thus, having more than one copy of …
Microsoft will be releasing the Windows 10 Creators Update in just a matter of weeks. Are you prepared? Follow these steps to ensure everything goes smoothly and you don't lose valuable data on your PC.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question