How to save & clear the Windows Failover Cluster logs

Over the time, the Windows Failover Cluster logs grow and grow and consume up to several GBytes on the system disk (C: by default) of the cluster nodes.

In general, it is a good idea to create a backup of the cluster logs and clear the cluster logs on all cluster nodes afterwards, for example, to simplify the analysis of the cluster logs in case of an error (it is very hard to find issues within several GBytes of logfiles)

This blog post describes how to backup and clear the Windows Failover Cluster logs on your Windows Failover Cluster nodes. The steps described below must be done on EACH cluster node.

A regular backup of the cluster logs also helps with incidents to answer questions like:

  • How many downtimes did we have … this year?
  • How many failovers occurred in the past months?
  • Which users administrated a cluster in the past months?

The current size (as well as the maximum size) of the cluster logs can be identified by using the Windows Event Viewer.

Open the Event Viewer and navigate to Applications and Services Logs \ Microsoft \ Windows \ FailoverClustering

View%20the%20log%20size

View the log size

Within the column Size you find the current size of each log.

To identify (or modify) the maximum size for each log, select one of the logs (e.g., Diagnostic) and open the Properties dialog:

Event%20Log%20-%20Properties-Dialog

Event Viewer – Event log Properties-Dialog

The maximum log sizes are set to the following values by default (screenshot shows Windows Server 2019):

Log Max. Log Size (Kilobyte, Default value)
ClusterSetDiagnostic 614400
Diagnostic 1572864
DiagnosticVerbose 38400
Operational 102800

Create a backup of the cluster logs using the Windows Event Viewer

Using the Windows Event Viewer to create a backup of the Cluster logs, you first open the Event Viewer and navigate to Applications and Services Logs \ Microsoft \ Windows \ FailoverClustering.

Within the tree view on the left side, select the cluster log you want to backup. Open the context menu and select Save All Events As… or chose Save All Events As… from the Action item in the menu bar.

Event%20Viewer%20-%20Save%20All%20Events

Event Viewer – Save All Events

After specifying where the backup file should be saved, you will be asked if you want to export some display information. We recommend including this data into the backup.

Event%20Viewer%20-%20Save%20All%20Events%20with%20Display%20Information

Event Viewer – Save All Events with Display Information

Once you have confirmed this dialog using the “OK” button, the events will be exported to the previously specified .evtx file.

Clear the Cluster logs using the Windows Event Viewer

To clear the Cluster logs using the Windows Event Viewer, you open the Event Viewer and navigate to Applications and Services Logs \ Microsoft \ Windows \ FailoverClustering.

Within the tree view on the left side, select the cluster log you want to clear. Open the context menu and select Clear Log… or chose Clear Log… from the Action item in the menu bar.

Event%20Viewer%20-%20Clear%20Log

Event Viewer – Clear Log

Now you can either clear the log directly (use button Clear) or create a backup before you clear it (button Save and Clear). If you chose Save and Clear, a new dialog Windows will show up and ask for the location, where to store the backup.

Event%20Viewer%20-%20Save%20and%20Clear%20Event%20log%20confirmation%20dialog

Event Viewer – Save and Clear Event log confirmation dialog

After the log is cleared, select the node FailoverClustering again. You will see that the Number of Events is 0 and the Size is reduced to the minimal size of an Event Log file.

Event%20Viewer%20-%20Cleared%20Log%20size

Event Viewer – Cleared Log size

It’s possible to completely automate backup and the deleting of cluster logs. The build-in Microsoft tool wevtutil.exe can be used to do this.

You can add the following commands into a script file.

Wevtutil.exe parameters and usage:

Parameter Alias Description
enum-logs el Displays the names of all logs.
get-loginfo <Logname> gli Displays status information about an event log or log file.
export-log <Path> <Exportfile> epl Exports events from an event log, from a log file, or using a structured query to the specified file.
clear-log <Logname> [/bu:<Backup>] cl Clears events from the specified event log. The /bu option can be used to back up the cleared events.
Option Description
/r:<Remote>     Runs the command on a remote computer. <Remote> is the name of the remote computer.
/u:<Username>

Only applicable when the /r option is specified.

Specifies a different user to log on to a remote computer. <Username> is a username in the form domain\user or user.

Note: A complete set of parameters and options supported by wevtutil.exe is available in the official documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

The application wevtutil.exe must be run in an administrative command prompt or PowerShell.

Get the name of all logs

To get a list of all event logs (this list is very long…) on your local system, run:

wevtutil.exe el

The name of the cluster event logs, used to run wevtutil.exe, are:

Log Logname used by wevtutil
ClusterSetDiagnostic Microsoft-Windows-FailoverClustering/ClusterSetDiagnostic
Diagnostic Microsoft-Windows-FailoverClustering/Diagnostic
DiagnosticVerbose Microsoft-Windows-FailoverClustering/DiagnosticVerbose
Operational Microsoft-Windows-FailoverClustering/Operational

To get some details about one of the cluster logs, use the parameter get-loginfo:

wevtutil.exe gli Microsoft-Windows-FailoverClustering/Diagnostic

This will print the following details to the command line:

creationTime: 2019-11-21T06:30:01.204Z lastAccessTime: 2022-05-19T08:52:29.471Z lastWriteTime: 2022-05-19T08:52:29.471Z fileSize: 1610616832 attributes: 32 numberOfLogRecords: 2638343 oldestRecordNumber: 43468561

Create a backup of the cluster logs using wevtutil.exe

Creating a backup of a cluster log using wevtutil.exe is as simple as using the Windows Event Viewer: wevtutil.exe provides the parameter export-log to create a backup of an event log.

To create a backup of the Cluster Diagnostic log to c:\EventLogBackup\WSFC_Diagnostic.evtx just run the following two commands:

mkdir c:\EventLogBackup\ wevtutil.exe epl Microsoft-Windows-FailoverClustering/Diagnostic c:\EventLogBackup\WSFC_Diagnostic.evtx

Do not forget to create the destination folder before starting the backup. If the destination folder does not exist, the backup fails:

Failed to export log Microsoft-Windows-FailoverClustering/Diagnostic. The system cannot find the path specified.

Clear the Cluster logs using wevtutil.exe

Before clearing the Cluster logs, do not forget to create a backup of the logs!

Clearing the log is done by calling wevtutil.exe with the parameter clear-log:

wevtutil.exe cl Microsoft-Windows-FailoverClustering/Diagnostic

If you did not already create a backup of the Cluster logs using export-log, you can tell wevtutil.exe to create a backup by adding the option /bu:<BackupFileName> to the call of clear-log:

wevtutil.exe cl Microsoft-Windows-FailoverClustering/Diagnostic /bu: c:\EventLogBackup\WSFC_Diagnostic.evtx

Like using the parameter export-log, you must ensure that the target folder c:\EventLogBackup exists.

Run the wevtutil.exe commands on a remote computer

If you want wevtutil.exe to run commands on a remote computer, just append /r:<hostname> to the call of wevtutil.exe, e.g.:

wevtutil.exe el /r:node2.my.domain

You can also specify a different user account to run the commands on the remote computer using the option /u:<username>:

wevtutil.exe el /r:node2.my.domain /u:my\otheradmin