How to change location of Vista Event Log file?

[deko]

I've tried editing the registry keys at:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\

I modified this:

%SystemRoot%\system32\winevt\Logs\System.evtx

to this:

G:\EventLogs\System.evtx

But the systems still logs to:

%SystemRoot%\system32\winevt\Logs\System.evtx

I tried making the change a couple of times but no good.

I'm not using UAC and am logged in as Administrator (renamed)

Here's what I did:

1. set the Windows Event Log service to Disabled
2. rebooted
3. deleted %SystemRoot%\system32\winevt\Logs\System.evtx
4. verified that G:\EventLogs\ directory exists and that LOCAL SERVICE has
Full Control
5. edited the registry as indicated above
6. set the Windows Event Log service to Enabled
7. rebooted

If I look at the registry key value, it says 'G:\EventLogs\System.evtx', but
it doesn't have any effect - the system created a new System.evtx in
%SystemRoot%\system32\winevt\Logs\. Am I editing the right key? Why can't
I get Vista to log where I tell it to?

Thanks in advance.

 

[AlexB]

Wow, why in the world would you do it?

Install a new Vista on G: and you will have an event log in there.

Vista does not take such c*rap easily. You are trying to make it think
differently. It is a system prerogative to determine as to where to keep an
event log.

What is the idea beyond that?

 

[deko]

Wow, why in the world would you do it?

Install a new Vista on G: and you will have an event log in there.

Vista does not take such c*rap easily. You are trying to make it think
differently. It is a system prerogative to determine as to where to keep
an event log.

What is the idea beyond that?

I don't mean to be snide, but you should really think before you post.

There are many reasons why people store log files in different places. And
to say it's a 'system prerogative' where to log shows how much real world
experience you have.

There's a mskb article http://support.microsoft.com/kb/315417 that
explains how to do exactly what I did with the registry. What's tricky in
Vista is the property sheets for the individual logs do not appear to be
editable. The Log Path field is the same default gray as the form
background. But if you click on the path, you can change it. So the
ability to define a location for event logs is a built-in feature in Vista.
No registry editing needed.

 

[AlexB]

Well, you are obviously of a much better class than I initially assumed but
it is still unclear to me why you want to do it. You say: there are many
reasons but what?

If you want to monitor event logs programmatically on the run it is NOT a
way to go. There are classes in .NET that can do it easily and with enormous
degree of control in terms of filtering, etc.

Also, I am surprised you are quoting Win2K workaround and you are trying to
apply it to Vista. I do not respect such an approach.

WinSer2003 is an yesterday's news also. Now it is WinSer2008.