Generating and reading cluster logs

NOTE: this post was originally from 2010, it was updated for win2012 in august 2013.

If you want to read the cluster log on Windows 2008/2012 failover clusters, you have to generate it first. This log is considered sort of a debug level log, so it is not written to disk in a readable format by default. The log is however stored on disk as a circular .etl file, and it can be written out to a readable cluster.log file on demand. There are two ways you can create this file, by using cluster.exe or by PowerShell. Windows 2008/2008R2 supports both, while Windows 2003 is so old that it only supports the .log text file format and thus creates a readable log by default. Windows 2012 on the other hand considers cluster.exe to be too “old-school”, so it supports PowerShell only.

Be aware that readable might be an undeserving description of the cluster.log file. It is not for the faint of heart, and it should NOT be your first entry point when troubleshooting cluster issues. I usually access it only as a last resort when all else fails, or when I try to decipher why the cluster had issues AFTER I have solved the problem at hand.

The ways of cluster.exe

cluster log /g

The winding road of PowerShell

Import-Module FailoverClusters
Get-ClusterLog

You can skip the first line on Win2012.

image

Output

Running this command can take a while, especially if someone has changed the default etl settings. The default .etl size is 100MiB on 2008 and 300MiB on 2012. To check the size of the .etl file, use cluster.exe /prop or PowerShell:

<p>Get-Cluster |select ClusterLogSize</p>

image

The cluster.log file is created/updated in %WINDiR%\cluster\reports on all online cluster nodes, and should contain entries from the last 3 boots, providing the size limit for the .etl file has not been reached. For more information about the etl tracing, see http://blogs.technet.com/b/askcore/archive/2010/04/13/understanding-the-cluster-debug-log-in-2008.aspx. Be aware that the log is local to the node it is generated on.

If you want to learn how to interpret the logs, http://technet.microsoft.com/nb-no/library/cc961673(en-us).aspx is a good start. This is old information, but most of it is still valid.

Print This Post Print This Post

Tags:

Leave a Reply

%d bloggers like this: