Posey's Tips & Tricks
Where To Go For Hyper-V Troubleshooting Information
Navigate the maze of Windows Event Logs to efficiently troubleshoot common Hyper-V issues.
When an unexpected problem occurs in a Windows environment, the first step in resolving that problem is usually to gather information. After all, you need to know what happened before you can fix it. That's where the Windows Event Logs come into play. The Windows Event Logs contain detailed information about practically anything that might be going on with the Windows operating system and its subcomponents.
As helpful as the event logs might be, locating the information within the event logs can sometimes be a trek. Over time, the Windows operating system has become more complicated, and so too has the event log structure. That being the case, I wanted to take the opportunity to show you where to find troubleshooting information related to some of the more common types of problems that you may encounter with Hyper-V.
At one time, Windows only had a few event logs including the Application, Security, Setup, System and Forwarded Events logs. Today, these logs still exist, but they are considered to be the "classic event logs." You can find them in the Windows Logs folder in the Windows Event Viewer.
The classic event logs exist primarily for backward compatibility purposes. The vast majority of Windows Server's logging data exists under the Applications and Services Logs folder. This includes the Hyper-V logging data, which you can access by navigating through the Event Viewer tree to Applications and Services Logs > Microsoft > Windows. This folder contains a huge number of logs related to various aspects of the Windows operating system -- including Hyper-V. The thing that tends to make locating Hyper-V logging data tricky is that there are roughly about a dozen different Hyper-V logs. It is worth noting that not all of these logs exist on every Hyper-V host. Logs only exist for the Hyper-V features that are currently installed. If, for example, your Hyper-V host is not set up for high availability, then the Hyper-V-High-Availability log will not be shown.
Before I begin discussing these Hyper-V logging categories, it is worth noting that most of the logging categories contain two types of logs: admin and operational logs. There are also analytic and debug logs, but these are hidden by default and are beyond the scope of this discussion.
Admin logs typically contain events related to actions that were initiated by a user, an administrator or an application. Operational logs, on the other hand, contain information on events that impact the operating system and its configuration. An example that I have heard used on various occasions is that if a user has trouble connecting to a printer, it is an admin event. If the printer is completely removed, that's an operational event. In all honesty though, Hyper-V does not always adhere to this structure in a perfect manner. I have occasionally seen admin events that I thought should have been classified as operational, or the other way around. Additionally, some Hyper-V logging categories contain additional logs such as logs dedicated to networking or storage.
So now that I have talked about the basic log structure, let's examine the types of events that you might expect to find in the various Hyper-V logs.
The first log that you should be aware of is the Hyper-V-Compute log. This log contains low-level information about what is going on with Hyper-V. The Admin log, for example, contains entries detailing the running of the Host Compute Service. Most of the events in the Operational log are somewhat cryptic, but this log does include entries pertaining to the creation of new virtual machines. Incidentally, if you are having low-level problems with Hyper-V not starting or running properly, then you might also look at the events in the Hyper-V-Hypervisor log. The entries in this log can be useful in situations where the Host Compute Service is running, but Hyper-V just isn't working right.
Another log that can be useful is the Hyper-V-Config log. My experience has been that the Hyper-V-Config log is usually empty. However, if you have problems with virtual machine configuration files going missing or becoming corrupted, then the details should appear in the Hyper-V-Config log.
Some of the Hyper-V event logs pertain to specific hardware resources that can be assigned to virtual machines. The Hyper-V-StorageVSP log for instance contains events related to storage operations. Similarly, the Hyper-V0VMSwitch log contains events related to virtual networking and the Hyper-V-VID log pertains to memory assignments and dynamic memory allocations.
When it comes to troubleshooting Hyper-V, the most useful logging data tends to be found in the Hyper-V-VMMS log. This is where you would go to find information pertaining to the virtual machine replication process, remote access to virtual machines via server authentication certificates, server shutdowns that impacted virtual machines, failure to connect to virtual hard disk files, and more. To put it another way, if you are having problems with Hyper-V or with a virtual machine and you don't know which log file to check, start your troubleshooting efforts in the Hyper-V-VMMS log.
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.