IBM Support

IC88728: "RESTORE SYSTEMSTATE EVENTLOGS" DOES NOT RESTORE THE WINDOWS EVENT LOGS.

A fix is available

IBM Tivoli Storage Manager (TSM) Client 7.1.0 Downloads

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as fixed if next.

Error description

  • Beginning with Windows Vista, event logs are no longer treated
as part of System State. Current Tivoli Storage Manager behavior
for backing up event logs on Vista and higher:
- Windows event logs are usually located in
%SystemRoot%\System32\winevt\Logs. The log file names have
extension ".evtx".
- If the log files appear to be changed, they are backed up
during incremental backup of the boot drive, where %SystemRoot%
is located (usually C:). However, ongoing changes to the log
files might not be flushed to disk, possibly until the next time
the operating system is restarted. As a result, the incremental
backup process does not always capture the current event log
file data.
- After applying the fix for APAR IC70631
(http://www.ibm.com/support/docview.wss?uid=swg1IC70631), the
log files are always backed up as part of system state,
regardless of whether they appear to have changed. Prior to this
fix, the backup-archive client would only back up the event log
files as described above.
- The documentation for the RESTORE SYSTEMSTATE command
indicates that system state components such as EVENTLOG (among
others) can be restored. However, on Windows Vista and later
operating systems, you cannot restore EVENTLOG (or most other
individual system state) components with the RESTORE SYSTEMSTATE
command.
- Event log files can only be restored with special
backup-archive client command line syntax.
Issues with this behavior:
- Restoring event log files is non-trivial. Special
backup-archive client command line syntax is needed (see
LOCAL FIX). The log files cannot be restored from the
backup-archive client GUI.
- Although the log files can be backed up as part of the boot
drive backup, the latest version is not always backed up for the
reasons described above. Therefore it might not be possible to
restore the desired backup version from the boot drive file
space.
- The documentation for RESTORE SYSTEMSTATE needs to be updated
to accurately reflect correct usage.
Expected behavior:
- The log files should be backed up as part of the %SystemRoot%
drive or as part of system state backup, but not both. Since the
log files are no longer part of the system state, it would be
preferable to back them up only as part of the %SystemRoot%
drive backup. In this case, the backup-archive client should
always back up the event log files, without regard to whether
the files appear to have changed.
- If the log files are to continue to be backed up as part of
system state, then they should be excluded from the %SystemRoot%
drive. In this case, an easier method for restoring these files
is needed.
Initial Impact: Medium
Platform Affected: Windows Vista and higher. Does not affect
Windows 2003 or XP

Local fix

  • Use the command line client to restore the Windows event logs:
dsmc restore "{machine_name\SystemState\NULL\System
State\SystemState}\*.evtx" x:\targetdir\ -pick -su=yes
Note:
"x:\targetdir\" specifies the target drive and directory for the
restored files. Do not try to restore the event log files to
their original location on a live Windows system.

Problem summary

  • ****************************************************************
* USERS AFFECTED: Backup/Archive client version 6.2 to         *
*                 version 6.4.                                 *
****************************************************************
* PROBLEM DESCRIPTION: See ERROR DESCRIPTION.                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
*

Problem conclusion

  • 



Temporary fix


    

  • 



Comments


    

  • If there is a next release of Tivoli Storage Manager after
6.4, this APAR will be fixed in that next release.

    



APAR Information




    

  • APAR number
    IC88728
    • 

  • Reported component name
    TSM CLIENT
    • 

  • Reported component ID
    5698ISMCL
    • 

  • Reported release
    62W
    • 

  • Status
    CLOSED  FIN
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2012-11-29
    • 

  • Closed date
    2013-06-10
    • 

  • Last modified date
    2013-06-10
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • DSMC

    



Fix information


    



Applicable component levels


    

  • R62W  PSN
       UP
    • 

  • R63W  PSN
       UP
    • 

  • R64W  PSN
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"62W"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            22 September 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback