Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
mederd
Product and Topic Expert
Product and Topic Expert
8,427

Over the time, the Windows Failover Cluster logs grow and grow and consume up to several GBytes on the system disk (C: by default) of the cluster nodes.

In general, it is a good idea to create a backup of the cluster logs and clear the cluster logs on all cluster nodes afterwards, for example, to simplify the analysis of the cluster logs in case of an error (it is very hard to find issues within several GBytes of logfiles).

This blog post describes how to backup and clear the Windows Failover Cluster logs on your Windows Failover Cluster nodes. The steps described below must be done on EACH cluster node.

A regular backup of the cluster logs also helps with incidents to answer questions like:

  • How many downtimes did we have … this year?
  • How many failovers occurred in the past months?
  • Which users administrated a cluster in the past months?

Identifying the current and maximum size of the cluster logs

The current size (as well as the maximum size) of the cluster logs can be identified by using the Windows Event Viewer.

Open the Event Viewer and navigate to Applications and Services Logs \ Microsoft \ Windows \ FailoverClustering

Within the column Size you find the current size of each log.

To identify (or modify) the maximum size for each log, select one of the logs (e.g., Diagnostic) and open the Properties dialog:

The maximum log sizes are set to the following values by default (screenshot shows Windows Server 2019):

LogMax. Log Size (Kilobyte, Default value)
ClusterSetDiagnostic614400
Diagnostic1572864
DiagnosticVerbose38400
Operational102800

Using the Windows Event Viewer

Create a backup of the cluster logs using the Windows Event Viewer

Using the Windows Event Viewer to create a backup of the Cluster logs, you first open the Event Viewer and navigate to Applications and Services Logs \ Microsoft \ Windows \ FailoverClustering.

Within the tree view on the left side, select the cluster log you want to backup. Open the context menu and select Save All Events As… or chose Save All Events As… from the Action item in the menu bar.

After specifying where the backup file should be saved, you will be asked if you want to export some display information. We recommend including this data into the backup.

Once you have confirmed this dialog using the “OK” button, the events will be exported to the previously specified .evtx file.

Clear the Cluster logs using the Windows Event Viewer

To clear the Cluster logs using the Windows Event Viewer, you open the Event Viewer and navigate to Applications and Services Logs \ Microsoft \ Windows \ FailoverClustering.

Within the tree view on the left side, select the cluster log you want to clear. Open the context menu and select Clear Log… or chose Clear Log… from the Action item in the menu bar.

Now you can either clear the log directly (use button Clear) or create a backup before you clear it (button Save and Clear). If you chose Save and Clear, a new dialog Windows will show up and ask for the location, where to store the backup.

After the log is cleared, select the node FailoverClustering again. You will see that the Number of Events is 0 and the Size is reduced to the minimal size of an Event Log file.

Using wevtutil.exe

It’s possible to completely automate backup and the deleting of cluster logs. The build-in Microsoft tool wevtutil.exe can be used to do this.

You can add the following commands into a script file.

Wevtutil.exe parameters and usage:

ParameterAliasDescription
enum-logselDisplays the names of all logs.
get-loginfo <Logname>gliDisplays status information about an event log or log file.
export-log <Path> <Exportfile>eplExports events from an event log, from a log file, or using a structured query to the specified file.
clear-log <Logname> [/bu:<Backup>]clClears events from the specified event log. The /bu option can be used to back up the cleared events.

 

OptionDescription
/r:<Remote>     Runs the command on a remote computer. <Remote> is the name of the remote computer.
/u:<Username>

Only applicable when the /r option is specified.

Specifies a different user to log on to a remote computer. <Username> is a username in the form domain\user or user.

 

Note: A complete set of parameters and options supported by wevtutil.exe is available in the official documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

The application wevtutil.exe must be run in an administrative command prompt or PowerShell.

Get the name of all logs

To get a list of all event logs (this list is very long…) on your local system, run:

wevtutil.exe el

The name of the cluster event logs, used to run wevtutil.exe, are:

LogLogname used by wevtutil
ClusterSetDiagnosticMicrosoft-Windows-FailoverClustering/ClusterSetDiagnostic
DiagnosticMicrosoft-Windows-FailoverClustering/Diagnostic
DiagnosticVerboseMicrosoft-Windows-FailoverClustering/DiagnosticVerbose
OperationalMicrosoft-Windows-FailoverClustering/Operational

To get some details about one of the cluster logs, use the parameter get-loginfo:

wevtutil.exe gli Microsoft-Windows-FailoverClustering/Diagnostic

This will print the following details to the command line:

creationTime: 2019-11-21T06:30:01.204Z
lastAccessTime: 2022-05-19T08:52:29.471Z
lastWriteTime: 2022-05-19T08:52:29.471Z
fileSize: 1610616832
attributes: 32
numberOfLogRecords: 2638343
oldestRecordNumber: 43468561

Create a backup of the cluster logs using wevtutil.exe

Creating a backup of a cluster log using wevtutil.exe is as simple as using the Windows Event Viewer: wevtutil.exe provides the parameter export-log to create a backup of an event log.

To create a backup of the Cluster Diagnostic log to c:\EventLogBackup\WSFC_Diagnostic.evtx just run the following two commands:

mkdir c:\EventLogBackup\

wevtutil.exe epl Microsoft-Windows-FailoverClustering/Diagnostic c:\EventLogBackup\WSFC_Diagnostic.evtx

Do not forget to create the destination folder before starting the backup. If the destination folder does not exist, the backup fails:

Failed to export log Microsoft-Windows-FailoverClustering/Diagnostic.

The system cannot find the path specified.

Clear the Cluster logs using wevtutil.exe

Before clearing the Cluster logs, do not forget to create a backup of the logs!

Clearing the log is done by calling wevtutil.exe with the parameter clear-log:

wevtutil.exe cl Microsoft-Windows-FailoverClustering/Diagnostic

If you did not already create a backup of the Cluster logs using export-log, you can tell wevtutil.exe to create a backup by adding the option /bu:<BackupFileName> to the call of clear-log:

wevtutil.exe cl Microsoft-Windows-FailoverClustering/Diagnostic /bu: c:\EventLogBackup\WSFC_Diagnostic.evtx

Like using the parameter export-log, you must ensure that the target folder c:\EventLogBackup exists.

Run the wevtutil.exe commands on a remote computer

If you want wevtutil.exe to run commands on a remote computer, just append /r:<hostname> to the call of wevtutil.exe, e.g.:

wevtutil.exe el /r:node2.my.domain

You can also specify a different user account to run the commands on the remote computer using the option /u:<username>:

wevtutil.exe el /r:node2.my.domain /u:my\otheradmin