First published on TECHNET on Jan 23, 2018
Hyper-V has changed over the last few years and so has our event log structure. With that in mind, here is an update of
Ben's original post in 2009
(“Looking at the Hyper-V Event Log”).
This post gives a short overview on the different Windows event log channels that Hyper-V uses. It can be used as a reference to better understand which event channels might be relevant for different purposes.
As a general guidance you should
start with the Hyper-V-VMMS and Hyper-V-Worker
event channels when analyzing a failure. For migration-related events it makes sense to look at the event logs both on the source and destination node.
Below are the current event log channels for Hyper-V. Using “Event Viewer” you can find them under “Applications and Services Logs”, “Microsoft”, “Windows”.
If you would like to collect events from these channels and consolidate them into a single file, we've published a
HyperVLogs PowerShell module
Events from the
Host Compute Service (HCS)
are collected here. The HCS is a low-level management API.
|This section is for anything that relates to virtual machine configuration files. If you have a missing or corrupt virtual machine configuration file – there will be entries here that tell you all about it.
|Look at this section if you are experiencing issues with VM integration components.
|Hyper-V clustering-related events are collected in this section.
|This section is used for hypervisor specific events. You will usually only need to look here if the hypervisor fails to start – then you can get detailed information here.
|Events from the Storage Virtualization Service Provider. Typically you would look at these when you want to debug low-level storage operations for a virtual machine.
|These are events form the Virtualization Infrastructure Driver. Look here if you experience issues with memory assignment, e.g. dynamic memory, or changing static memory while the VM is running.
|Events from the virtual machine management service can be found here. When VMs are not starting properly, or VM migrations fail, this would be a good source to start investigating.
|These channels contain events from the virtual network switches.
|This section contains events from the worker process that is used for the actual running of the virtual machine. You will see events related to startup and shutdown of the VM here.
|Events specific to virtual hard disks that can be shared between several virtual machines. If you are using shared VHDs this event channel can provide more detail in case of a failure.
|The VM security process (VMSP) is used to provide secured virtual devices like the virtual TPM module to the VM.
|Events form the Virtual Filtering Platform (VFP) which is part of the Software Defined Networking Stack.
|Events from operations on virtual hard disk files (e.g. creation, merging) go here.
Please note: some of these only contain analytic/debug logs that need to be enabled separately and not all channels exist on Windows client. To enable the analytic/debug logs, you can use the
HyperVLogs PowerShell module