I work for the data center of a bank that deals with highly confidential customer data. We've configured extensive auditing options on all our Windows NT 4.0 file servers and use Computer Associates' (CA's) Unicenter TNG to collect the logging data in a central repository. We've noticed that the extensive auditing affects the performance of some of our file servers. Currently, the Event Viewer log files are stored on the system drive, but we're considering moving these files to another drive. How can we change the location of the log files in NT 4.0?
In NT 4.0, you can edit the registry to change the location of the log files. When you open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog registry subkey, you'll notice a subkey for each of the three Event Viewer categories: Application, Security, and System. Each of these subkeys contains a value called File that holds the file-system path of that Event Viewer log file. To change the location of the Security log file, for example, change the File value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security subkey. Changes to these settings become effective only after a system reboot.