Over the time, the Windows Failover Cluster logs grow and grow and consume up to several GBytes on the system disk (C: by default) of the cluster nodes.
In general, it is a good idea to create a backup of the cluster logs and clear the cluster logs on all cluster nodes afterwards, for example, to simplify the analysis of the cluster logs in case of an error (it is very hard to find issues within several GBytes of logfiles)
This blog post describes how to backup and clear the Windows Failover Cluster logs on your Windows Failover Cluster nodes. The steps described below must be done on EACH cluster node.
A regular backup of the cluster logs also helps with incidents to answer questions like:
- How many downtimes did we have … this year?
- How many failovers occurred in the past months?
- Which users administrated a cluster in the past months?
Identifying the current and maximum size of the cluster logs
The current size (as well as the maximum size) of the cluster logs can be identified by using the Windows Event Viewer.
Open the Event Viewer and navigate to Applications and Services Logs Microsoft Windows FailoverClustering
View the log size
Within the column Size you find the current size of each log.
To identify (or modify) the maximum size for each log, select one of the logs (e.g., Diagnostic) and open the Properties dialog:
Event Viewer – Event log Properties-Dialog
The maximum log sizes are set to the following values by default (screenshot shows Windows Server 2019):
| Log | Max. Log Size (Kilobyte, Default value) |
| ClusterSetDiagnostic | 614400 |
| Diagnostic | 1572864 |
| DiagnosticVerbose | 38400 |
| Operational | 102800 |
Using the Windows Event Viewer
Create a backup of the cluster logs using the Windows Event Viewer
Using the Windows Event Viewer to create a backup of the Cluster logs, you first open the Event Viewer and navigate to Applications and Services Logs Microsoft Windows FailoverClustering.
Within the tree view on the left side, select the cluster log you want to backup. Open the context menu and select Save All Events As… or chose Save All Events As… from the Action item in the menu bar.
Event Viewer – Save All Events
After specifying where the backup file should be saved, you will be asked if you want to export some display information. We recommend including this data into the backup.
Event Viewer – Save All Events with Display Information
Once you have confirmed this dialog using the “OK” button, the events will be exported to the previously specified .evtx file.
Clear the Cluster logs using the Windows Event Viewer
To clear the Cluster logs using the Windows Event Viewer, you open the Event Viewer and navigate to Applications and Services Logs Microsoft Windows FailoverClustering.
Within the tree view on the left side, select the cluster log you want to clear. Open the context menu and select Clear Log… or chose Clear Log… from the Action item in the menu bar.
Event Viewer – Clear Log
Now you can either clear the log directly (use button Clear) or create a backup before you clear it (button Save and Clear). If you chose Save and Clear, a new dialog Windows will show up and ask for the location, where to store the backup.
Event Viewer – Save and Clear Event log confirmation dialog
After the log is cleared, select the node FailoverClustering again. You will see that the Number of Events is 0 and the Size is reduced to the minimal size of an Event Log file.
Event Viewer – Cleared Log size
Using wevtutil.exe
It’s possible to completely automate backup and the deleting of cluster logs. The build-in Microsoft tool wevtutil.exe can be used to do this.
You can add the following commands into a script file.
Wevtutil.exe parameters and usage:
| Parameter | Alias | Description |
| enum-logs | el | Displays the names of all logs. |
| get-loginfo <Logname> | gli | Displays status information about an event log or log file. |
| export-log <Path> <Exportfile> | epl | Exports events from an event log, from a log file, or using a structured query to the specified file. |
| clear-log <Logname> [/bu:<Backup>] | cl | Clears events from the specified event log. The /bu option can be used to back up the cleared events. |
| Option | Description |
| /r:<Remote> | Runs the command on a remote computer. <Remote> is the name of the remote computer. |
| /u:<Username> | Only applicable when the /r option is specified.
Specifies a different user to log on to a remote computer. <Username> is a username in the form domainuser or user. |
Note: A complete set of parameters and options supported by wevtutil.exe is available in the official documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
The application wevtutil.exe must be run in an administrative command prompt or PowerShell.
Get the name of all logs
To get a list of all event logs (this list is very long…) on your local system, run:
wevtutil.exe el
The name of the cluster event logs, used to run wevtutil.exe, are:
| Log | Logname used by wevtutil |
| ClusterSetDiagnostic | Microsoft-Windows-FailoverClustering/ClusterSetDiagnostic |
| Diagnostic | Microsoft-Windows-FailoverClustering/Diagnostic |
| DiagnosticVerbose | Microsoft-Windows-FailoverClustering/DiagnosticVerbose |
| Operational | Microsoft-Windows-FailoverClustering/Operational |
To get some details about one of the cluster logs, use the parameter get-loginfo:
wevtutil.exe gli Microsoft-Windows-FailoverClustering/Diagnostic
This will print the following details to the command line:
creationTime: 2019-11-21T06:30:01.204Z lastAccessTime: 2022-05-19T08:52:29.471Z lastWriteTime: 2022-05-19T08:52:29.471Z fileSize: 1610616832 attributes: 32 numberOfLogRecords: 2638343 oldestRecordNumber: 43468561
Create a backup of the cluster logs using wevtutil.exe
Creating a backup of a cluster log using wevtutil.exe is as simple as using the Windows Event Viewer: wevtutil.exe provides the parameter export-log to create a backup of an event log.
To create a backup of the Cluster Diagnostic log to c:EventLogBackupWSFC_Diagnostic.evtx just run the following two commands:
mkdir c:EventLogBackup wevtutil.exe epl Microsoft-Windows-FailoverClustering/Diagnostic c:EventLogBackupWSFC_Diagnostic.evtx
Do not forget to create the destination folder before starting the backup. If the destination folder does not exist, the backup fails:
Failed to export log Microsoft-Windows-FailoverClustering/Diagnostic. The system cannot find the path specified.
Clear the Cluster logs using wevtutil.exe
Before clearing the Cluster logs, do not forget to create a backup of the logs!
Clearing the log is done by calling wevtutil.exe with the parameter clear-log:
wevtutil.exe cl Microsoft-Windows-FailoverClustering/Diagnostic
If you did not already create a backup of the Cluster logs using export-log, you can tell wevtutil.exe to create a backup by adding the option /bu:<BackupFileName> to the call of clear-log:
wevtutil.exe cl Microsoft-Windows-FailoverClustering/Diagnostic /bu: c:EventLogBackupWSFC_Diagnostic.evtx
Like using the parameter export-log, you must ensure that the target folder c:EventLogBackup exists.
Run the wevtutil.exe commands on a remote computer
If you want wevtutil.exe to run commands on a remote computer, just append /r:<hostname> to the call of wevtutil.exe, e.g.:
wevtutil.exe el /r:node2.my.domain
You can also specify a different user account to run the commands on the remote computer using the option /u:<username>:
wevtutil.exe el /r:node2.my.domain /u:myotheradmin
