On 2/17/2011 2:18 PM, Michael B. Smith wrote: > Sorry, I wasn't paying close attention, but they should be backed up by > anything that does a SysState backup and anything that does a VSS backup.
EMC Networker does do a SysState backup, as well as VSS. I didn't find the .evt files where I thought I would find them (c:\windows\system32\config), but the ones I did find in the C:\Windows\Repair\Backup\ServiceState\EventLogs location were the logs I needed, covering the time I needed. So I restored just those files, and then opened them with Event Viewer and filtered. As I suspected, no event ID 538 or 540 (successful network logins). Only failed logins ... I might be able to find out what I need by looking in old logs for LANDesk, since it notes user logins, too. Not definitive, of course, as you can use any ID to log in with, but better than nothing, I suppose. Thanks > > Regards, > > Michael B. Smith > Consultant and Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Thursday, February 17, 2011 2:16 PM > To: NT System Admin Issues > Subject: Re: Looking for logon/logoff times in old event logs > > On Thu, Feb 17, 2011 at 9:48 AM, Mike Leone <[email protected]> wrote: >> But I don't see any event log files (*.evt) in the location >> c:\windows\system32\config. > > I don't have a solution for you, but IIRC, the active Event Log files are > opened by the EventLog service at startup and stay that way as long as the > system is running. So unless you use an "open file agent" on your DC, they > would be found to be open and skipped during the backup. > > They might (*MIGHT* -- I dunno) be included in a "System State" > backup/restore, but you'll want to restore to an isolated lab environment > (you'll be restoring a 6 month old copy of your AD database, and while it > shouldn't be accepted as authoritative by the other DCs if you don't say so, > it will still be a mess). ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
