27 Feb 2010
Relocating events to a separate event log
I am currently working on an Exchange migration project. We ran into the following issue: the migration product creates a lot of EXCDO events in the application log. Under certain conditions the application log is flooded with EXCDO events, for example, once we had 19.850 events in total and 18.500 events were from EXCDO.
This makes the application log useless. There are so many EXCDO events that you very likely overlook an important event.
The information we received from product support was not helpful. The first proposed “solution” was to use a filter and hide the EXCDO events. However, there is no negative filter that allows you to show everything beside EXCDO events. The second proposed “solution” was to define a system environment variable EXCDO_EVENTLOGDISABLED=1. However, this also did not help.
After reading this interesting article “Making Sense of NT Events”, written by James D Murray, I came up with a work around:
- Export the registry key HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\EXCDO
- Delete the registry key HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\EXCDO and all sub keys
- Change the string Application in the registry file to the string Migration
- Import the modified registry file
- Reboot
Now the EXCDO events are written to a separate log called migration and do not flood the application log.
Figure 1: EXCDO events relocated to the Migration log