Looking at the Hyper-V Event Log

Hyper-V logs a lot of useful information if you need to diagnose a problem, so I thought I would put together a little post explaining where you should be looking.  The first thing to know is that all Hyper-V event logs are stored in the Event Viewer under “Applications and Services Logs”, “Microsoft”, “Windows”:


 eventlog


There are then 10 categories for you to look at:




  • Hyper-V-Config:
    This section is for anything that relates to virtual machine configuration files.  If you have a missing or corrupt virtual machine configuration file – there will be entries here that tell you all about it.


  • Hyper-V-High-Availability:
    This section tells you about actions and changes that happen because of Hyper-V clustering.


  • Hyper-V-Hypervisor:
    This section is used for hypervisor specific events.  You will usually only need to look here if the hypervisor fails to start – then you can get detailed information here.


  • Hyper-V-Image-Management-Service:
    This section is used by the image management service to log information about virtual hard disk operations – like creating, converting and editing virtual hard disks.  If you have problems creating or editing a virtual hard disk – look here.


  • Hyper-V-Integration:
    This section is used to log events that relate specifically to integration services.


  • Hyper-V-Network:
    This section is used for events relating to virtual networks.  You will see information about the creation and configuration of virtual networks here (as opposed to virtual network adapters).


  • Hyper-V-SynthNic:
    This is the section where information about virtual network adapters.  You will see entries in here each time a virtual machine with virtual network adapters powers up.  You will also see entries here if a virtual machine fails to power on because of a configuration issue with its network adapters.


  • Hyper-V-SynthStor:
    This section is to do with virtual hard disks that are associated with running virtual machines (it is the storage equivalent of the SynthNic section).


  • Hyper-V-VMMS:
    This section is where the virtual machine management services files its events.


  • Hyper-V-Worker:
    This section is used by the worker process that is used for the actual running of the virtual machine.

Now – two pointers to keep in mind while looking at the Hyper-V event logs:




  • If you do not know where to start, start with Hyper-V-VMMS.  As the central management service it usually has something to say about everything.


  • Learn to follow the trail of event logs.  If a virtual machine fails to start because of a storage issue there will usually be events logged in the VMMS, Worker and SynthStor sections – and reading all of the events can usually provide better insight into the problem than just reading some of them.

Cheers,
Ben