Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Restore event viewer from system state backup

Posted on 2008-06-10
5
Medium Priority
?
5,051 Views
Last Modified: 2013-12-01
I need to view some auditing logs from the security section of my event viewer.  The current event log was overwritten before the day I need to review.  I'm wondering if I can pull the event viewer from last weekend's backup through Backup Exec11d to view last weeks events.  The Saturday Full backup is set to include System State (Registry, System Files, SYSVOL, etc).  

The file I need is "C:\WINDOWS\system32\config\SecEvent.Evt"

Can I pull the event viewer out of that backup?  I don't want to restore the complete registry or system files to overwrite the current system.  I only need to view the event viewer as it was on Saturday.  If this is possible, please advise.


Thanks
0
Comment
Question by:KevinITadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
patrickfromsc earned 750 total points
ID: 21754876
If that folder was set to be backed up, then that file should be available.  When you configure your restore job, specifiy for it to restore to an alternate location... like c:\temp.  Then dig down into the catalog and locate that file.  The restore should only pull that file from the media, and should restore it safely to the alternate location.

Regards,
PfSC
0
 

Author Comment

by:KevinITadmin
ID: 21754949
unfortunately I cannot select to restore to an alternate location.   Here are my options

1)  Overwrite file on disk
2)  Skip it, do not overwrite the file on disk
3)  Overwrite the file on disk only if it is older

I've attached a screenshot as well.
restore-options.JPG
0
 

Author Comment

by:KevinITadmin
ID: 21755091
Quick update, I did a manual restore rather than using the Wizard and I was able to use the file redirection to restore to an alternate location.  

The system state restored successfully but apparantly did not backup the event log files.  It lets me browse the restored files to "C:\WINDOWS\system32"  but there is no "config" folder where Windows stores the logs.  

I think that was my only hope.
0
 
LVL 3

Expert Comment

by:patrickfromsc
ID: 21755484
You are not exlicitly backing up the "C:\WINDOWS\system32" folder?  If so, you should be able to drill down to the exact file from Saturday's job and restore it.

Secondly... are you using Volume Shaow Copies?  If so, that file will be recoverable from there quite easily.  If not, let me strongly advise you to enable this feature.  It uses spare disk space, and makes restores like this trivial.  Just right-click on your drive letters under My Computer, select Properties, and enable it from the Shadow Copies tab.  You do not need a lot of free space on the drive to do this, like you might think, as it is really making copies of the hard links, not the files themselves.
0
 

Author Comment

by:KevinITadmin
ID: 21755546
I did not specifically backup the C:\windows\system32" directory.  When I restored the "system state" from saturdays backup, I browsed the contents of the restore and under a folder called "system files" was the Windows directory.   I also searched the contents of the restored system state for (*.evt) and nothing came up.  Apparently system state does not include event logs.

I've never used Volume shadow copy but I will enable it and play around with it.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question