Move Event Log from Powershell

I created an event log in the windows event viewer. The default location is C:\Windows\System32\winevt\Logs and I would like to move it to a different drive. That’s easy enough to do from the properties window in the event viewer, but I would like to automate it using a powershell script. I tried the following:

$channel = 'myLog'
$registryLogsLocation = 'HKLM:\SYSTEM\CurrentControlSet\Services\EventLog'
$outputLoc = "D:\logs\${channel}.evtx"
New-ItemProperty "$registryLogsLocation\$channel" -Name "File" -Value "$outputLoc" -PropertyType ExpandString -Force | Out-Null

Note that I checked the registry first and saw that the “File” property was not already present. These commands added the property just fine, but the output location change is not reflected when checking the properties page in the event viewer, even after reboot. Additionally, the myLog.evtx file is still being written to in the default location.

Next I delete the registry property I just added and change the location manually in the event viewer. Everything works as expected: the registry gets updated (in seemingly the same way as my powershell commands) and the myLog.evtx gets written to in the new location.

Next I delete the registry property again and run my commands again. Everything works as desired. I would like to be able to get this to work without needing to change the location manually in the event viewer. I’m quite new to working in windows and powershell, so any info would be appreciated.

Relocating event logs in Windows Server 2008 R2 - Server Fault

This helps.

You need to add one more regkey Flags.

1 Like