Solved

Restore event viewer from system state backup

Posted on 2008-06-10
5
4,866 Views
Last Modified: 2013-12-01
I need to view some auditing logs from the security section of my event viewer.  The current event log was overwritten before the day I need to review.  I'm wondering if I can pull the event viewer from last weekend's backup through Backup Exec11d to view last weeks events.  The Saturday Full backup is set to include System State (Registry, System Files, SYSVOL, etc).  

The file I need is "C:\WINDOWS\system32\config\SecEvent.Evt"

Can I pull the event viewer out of that backup?  I don't want to restore the complete registry or system files to overwrite the current system.  I only need to view the event viewer as it was on Saturday.  If this is possible, please advise.


Thanks
0
Comment
Question by:KevinITadmin
  • 3
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
patrickfromsc earned 250 total points
ID: 21754876
If that folder was set to be backed up, then that file should be available.  When you configure your restore job, specifiy for it to restore to an alternate location... like c:\temp.  Then dig down into the catalog and locate that file.  The restore should only pull that file from the media, and should restore it safely to the alternate location.

Regards,
PfSC
0
 

Author Comment

by:KevinITadmin
ID: 21754949
unfortunately I cannot select to restore to an alternate location.   Here are my options

1)  Overwrite file on disk
2)  Skip it, do not overwrite the file on disk
3)  Overwrite the file on disk only if it is older

I've attached a screenshot as well.
restore-options.JPG
0
 

Author Comment

by:KevinITadmin
ID: 21755091
Quick update, I did a manual restore rather than using the Wizard and I was able to use the file redirection to restore to an alternate location.  

The system state restored successfully but apparantly did not backup the event log files.  It lets me browse the restored files to "C:\WINDOWS\system32"  but there is no "config" folder where Windows stores the logs.  

I think that was my only hope.
0
 
LVL 3

Expert Comment

by:patrickfromsc
ID: 21755484
You are not exlicitly backing up the "C:\WINDOWS\system32" folder?  If so, you should be able to drill down to the exact file from Saturday's job and restore it.

Secondly... are you using Volume Shaow Copies?  If so, that file will be recoverable from there quite easily.  If not, let me strongly advise you to enable this feature.  It uses spare disk space, and makes restores like this trivial.  Just right-click on your drive letters under My Computer, select Properties, and enable it from the Shadow Copies tab.  You do not need a lot of free space on the drive to do this, like you might think, as it is really making copies of the hard links, not the files themselves.
0
 

Author Comment

by:KevinITadmin
ID: 21755546
I did not specifically backup the C:\windows\system32" directory.  When I restored the "system state" from saturdays backup, I browsed the contents of the restore and under a folder called "system files" was the Windows directory.   I also searched the contents of the restored system state for (*.evt) and nothing came up.  Apparently system state does not include event logs.

I've never used Volume shadow copy but I will enable it and play around with it.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now