An Overview of Hyper-V Event Logs

Save to My DOJO

An Overview of Hyper-V Event Logs

In Server 2008 and Server 2008 R2, Microsoft has greatly expanded upon the basic Windows Event Viewer model to allow individual services and applications to have their own log. For programs that take advantage of this, you can quickly drill down to events that are specific to that software without spending time setting up filters.

How can I access Hyper-V event logs?

There are several ways to access these logs. One way is through “Server Manager”. In a default installation of full Windows Server, there is an icon for Server Manager in the Quick Launch bar and under the Administrative Tools heading in the Start Menu. It can also be reached by right-clicking on “My Computer” and selecting Manage. Once in Server Manager, there is a “Hyper-V” section that includes a synopsis of recent events. You can access the full logs by expanding the Diagnostics node to find Event Viewer. Event Viewer can be accessed directly by its icon in the Administrative Tools menu.

For a Core installation of Windows Server, you must access Event Viewer remotely. To be able to connect to any Windows Server remotely, some configuration is required. Microsoft details these steps at http://technet.microsoft.com/en-us/library/dd759202.aspx. Follow the steps for configuration via Group Policy or PowerShell. Once the server is prepared, connect to it using Server Manager or Event Viewer, right-click on the top-most node and select “Connect to another computer”.

Connecting to a native installation of Hyper-V is almost identical to using the Core method detailed in the previous paragraph. However, Server Manager will not be able to connect to it. You’ll need to use Event Viewer or Computer Management to connect. Computer Management is accessed on a desktop by right-clicking “My Computer” and choosing Manage; on a Server GUI, open the Start Menu, type “compmgmt.msc” without the quotes and press Enter.

Once connected to your server, there are ten logs devoted to Hyper-V. Once you’re in Event Viewer, access them by expanding the “Applications and Services Logs” node, then the “Microsoft” node, then the “Windows” node. The nodes are listed alphabetically, so all ten of the Hyper-V nodes are grouped together as seen in the following screen capture:

Hyper-V-Event-Logs

We’ll examine these in order of appearance.

Hyper-V-Config

This log contains entries that pertain to the configuration files that describe individual virtual machines. These are the XML files whose names are globally unique identifiers. They can be found under C:ProgramDataMicrosoftWindowsHyper-VVirtual Machines or under VM-specific folders on a Cluster Shared Volume. The most common error is 4096, which indicates that Hyper-V is unable to locate an expected configuration file. It isn’t entirely unusual to encounter this error in normal operations, as utilities and operations may move the XML files in a fashion that isn’t entirely in sync with the Hyper-V services. It normally doesn’t require attention unless it is a persistent error.

Hyper-V-High-Availability

This section contains events related to the interaction of Failover Clustering with Hyper-V.  Most of the events here will be informational recording of actions that the Cluster service took on individual VMs. Errors should be very rare and are generally related to the same sort of synchronization issues that cause the Hyper-V-Config 4096 errors.

Hyper-V-Hypervisor

As the name implies, these events are related to the hypervisor itself. Most of the events will be related to the creation and destruction of partitions, which are the temporary container that hold running virtual machines. If there is any sort of problem with Hyper-V itself, especially issues that prevent the service from starting, this is where you’ll find out about it.

Hyper-V-Image-Management-Service

The related service is devoted to the handling of VHD files. If any operation involving a virtual hard drive fails, details are logged here.

Hyper-V-Integration

This log tracks events associated with the Integration Services that are installed into virtual machines. Most of the problems reported here can be corrected by re-installing or upgrading the Integration Services components.

Hyper-V-Network

The virtual switch(es) in your deployment will record events here. The first events will be the creation of the virtual networks themselves, as well as pairing of external networks to physical network cards. When a virtual network adapter is created or destroyed in a virtual machine, a matching virtual port is created on the virtual switch; the creation/destruction of those ports will be registered here.

Hyper-V-SynthNic

The synthetic network cards in virtual machines will log an event when they start (12582). Look here for clues as to why a network card won’t function, such as MAC collisions.

Hyper-V-SynthStor

Virtual storage controller drivers use this log for their events. The most common event is logged by virtual SCSI controllers as they start. The virtual IDE driver is emulated and not synthetic, so it initializes before the VM loads and will not log a matching event. If a drive cannot be attached to the virtual controller port as expected, it will be logged here.

Hyper-V-VMMs

The Virtual Machine Management Service generates these events. Problems with import and export actions will be logged here, as will AVHD merge operations. Host shutdown events will also be tracked in this log. It will also report when it cannot locate the files for a VM. As in other logs, these are likely to be cleaned up once a VM is completely removed.

Hyper-V-Worker

Hyper-V’s worker threads log these events. Normally, this is the busiest of all the logs, but most of them are trivial. If you’re curious how long that last Live Migration took, this is where you’ll find it. Emulated network and storage drivers (as opposed to the synthetic drivers) will create events here.

 

Altaro Hyper-V Backup
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

29 thoughts on "An Overview of Hyper-V Event Logs"

  • Bruno Cruz says:

    there is some event of Windows Server 2012 and its ID number for in case of failure of backup Altaro Hyper-v?Your Comments

    Belém/Pará/Brasil

Leave a comment or ask a question

Your email address will not be published. Required fields are marked *

Your email address will not be published.

Notify me of follow-up replies via email

Yes, I would like to receive new blog posts by email

What is the color of grass?

Please note: If you’re not already a member on the Dojo Forums you will create a new account and receive an activation email.