Handling Windows Server 2008 R2 Cluster Log

This is a quick tutorial on how to a Windows Server 2008 R2 cluster diagnostic debug logging which captures detailed information about the cluster operations. Recently I came across a cluster resource failure but unfortunately the event logs did not have any useful information that could have aided my investigation. I decided to search through the cluster log file but to my surprise there wasn’t any :(. Apparently, with Windows Server 2008 R2 the cluster.log file is not auto-generated. While reading up on the cluster log settings, I came across the Failover Cluster Event Tracing for windows and decided to post some of the things I learned in the process.

Failover Cluster Event Tracing for Windows

The Failover Clustering feature in Windows Server 2008 R2 comes with a diagnostic debug logging which captures detailed information about the cluster operations. The configuration settings for this can be found in the following location \Server Manager\Diagnostics\Performance\Data Collector Sets\Event Trace Sessions\Eventlog-Microsoft-Windows-FailoverClustering-Diagnostic. The cluster event tracing is enabled by default when you enable the cluster feature and start the cluster service

The Failover clustering diagnostic log files are stored in %WinDir%\System32\winevt\logs\ and are in an *.etl extension. There are three *.etl log files, each time a node is rebooted a new ETL file is generated and logging is conducted on the new log file until the server is rebooted again

Below are some useful settings that might come in handy when troubleshooting cluster failures:

– Generate a Windows Server Cluster Log
– Cluster Log default size
– Cluster Log default logging level

Before we begin, I would suggest you run the command “cluster /prop“, this will list the properties of the cluster attributes and their current values

1. Generate a Windows Server Cluster Log

– Log onto one of the cluster nodes -> Open the command prompt As Administrator -> Enter the following command: “cluster log /g“. A cluster.log file will be generated and stored in %windir%\Cluster\Reports directory on all cluster nodes

– Another way to generate the cluster log is by using Powershell only on a Windows Server 2008 R2. Click on Start\Administrative Tools\Windows Powershell Modules

– Wait for the system to load all the Powershell commands

– Command1: “Get-ClusterLog“:- This command creates the cluster log file on each cluster nodes in the cluster reports folder

– Command2: “Get-ClusterLog -Destination“:-┬áThis command creates the cluster log files for each cluster nodes and copies all logs to a central location or destination specified in the command. This is useful when you want to view all cluster logs from different nodes from a single place

2. Cluster Log default size

The default failover cluster event tracing log size is 100 MB and the logs are handled in a circular logging scheme. In the event that the cluster.log file does not have the needed information due to the older entries been overwritten, you would need to increase the size of the cluster log (*.etl) to retain more data.

– From windows command prompt: cluster log /Size:X

– From PowerShell: Set-Cluster -Size X

3. Cluster default logging level

The default cluster logging level is 3. Anything higher than 3 will give more information but may have significant impact on the cluster. The table below gives complete overview of the different logging levels and what information can be derived from it. Note: Setting the level to 0 (zero) would disable logging.

[table id=13 /]

– From windows command prompt: Cluster Log /Level:X

– From PowerShell: Set-ClusterLog -Level X

comments powered by Disqus