How to enable Event logging for Offline Files (Client Side Caching) in Windows Vista

  • Article

Ravi here from Directory Services team; I thought I would share some information on how to enable the Event Logging for Offline Files, (Client Side Caching) in Windows Vista.

Offline Files Changes in Windows Vista

Offline Files has been completely redesigned for Windows Vista, offering new features, which include:

•    Better defined modes of operation
•    Seamless offline to online transitions
•    Optimized file synchronization
•    Improved slow-link mode
•    Consistent namespaces
•    Cache size management
•    Per-user encryption
•    Scriptable API support

For more information refer below article.
What's New in Offline Files for Windows Vista

There are certain changes in Group Policies for Offline Files in Vista.
All the Group Policy settings for Offline Files can be found through two paths:

Computer ConfigurationAdministrative TemplatesNetworkOffline Files
User ConfigurationAdministrative TemplatesNetworkOffline Files

Along with some other Policy changes, “Event Logging Level” have also been changed, there is no Group Policy setting for the enabling Advance Event logging.

Note: Windows XP based computer needs this policy to be set at the value of 3, which will result in verbose events getting written in the System Event log.

Event Logging in Windows Vista

Event logging is not something an end user would have to care about but it may be necessary during troubleshooting problems with Offline Files. Windows Vista has also considerably changed when it comes to Event logging.

The Event Viewer includes a new category of event logs “Applications and Services logs” apart from native “Windows Logs”. These logs store events from a single application or component.

This category of logs includes four subtypes: Admin, Operational, Analytic, and Debug logs. Events in Admin logs are of particular interest to IT Professionals using the Event Viewer to troubleshoot problems. Events in the Admin log should provide you with guidance about how to respond to them. Events in the Operational log are also useful for IT Professionals, but they are likely to require more interpretation.

Following are the instructions on enabling the logging for “OfflineFiles” subsystem .

“Operational” event logging for Offline Files is itself disabled by default. Below are the steps to enable it.

  • To enable "Operational" log by using the Windows interface.
  1. Start Event Viewer. (Eventvwr.msc).
  2. In the console tree, navigate to and select the "Applications and Services logs”. Select "Microsoft”. Select and expand "Windows".
  3. Select "OfflineFiles" from the list. Select the log "Operational".
  4. On the “Actions” menu, click "Enable Log".
  • To enable Operational" logs by using a command line.
  1. Open a command prompt in Run as Administrator mode.
  2. Type the following text:

    wevtutil sl Microsoft-Windows-OfflineFiles/Operational /e:true

Note: To get the available log names type, wevtutil el

How to turn on advance logging.

“Operational” log will only write the informational event. Advance logging can be enabled by following below steps.

  • Enable Analytic and Debug Logs

    Ensure that Analytic and Debug logs are visible.

  • To show or hide analytic and debug logs

  1. Start Event Viewer.
  2. Select "Applications and Services logs' Click the View menu.
    If Show Analytic and Debug Logs is selected, Analytic and Debug logs are already visible. 
    No further action is required. If Show Analytic and Debug Logs is not selected, select Show Analytic and Debug Logs to make these logs visible. 
    Note that a check mark should appear to the left of the menu option.
  • To enable Analytic and Debug logs by using the Windows interface
  1. Start Event Viewer.
  2. In the console tree, navigate to "OfflineFiles" below "Applications and Services logs" and select the Analytic Debug or Synclog you want to enable.
  3. On the “Actions” menu, click "Enable Log".
  • To enable Analytic and Debug logs by using a command line

  1. Open a command prompt in Run as Administrator mode.

  2. Type the following text:

    wevtutil sl Microsoft-Windows-OfflineFiles/Analytic /e:true
    wevtutil sl Microsoft-Windows-OfflineFiles/Debug /e:true
    wevtutil sl Microsoft-Windows-OfflineFiles/SyncLog /e:true

Sample Events:

Log Name: Microsoft-Windows-OfflineFiles/Operational
Source: Microsoft-Windows-OfflineFiles
Date: 2/9/2009 8:34:16 PM
Event ID: 9
Task Category: None
Level: Information
Keywords: Online/offline transitions
User: SYSTEM
Computer: machine1.contoso.com
Description:
Path disconnected.
\serverPublicTools

Log Name: Microsoft-Windows-OfflineFiles/Operational
Source: Microsoft-Windows-OfflineFiles
Date: 2/9/2009 8:35:54 PM
Event ID: 10
Task Category: None
Level: Information
Keywords: Online/offline transitions
User: SYSTEM
Computer: machine1.contoso.com
Description:
Path reconnected.
\serverPublicTools

Above events are written a when a Network share which is set to be “available offline” is disconnected and reconnected.

Log Name: Microsoft-Windows-OfflineFiles/SyncLog
Source: Microsoft-Windows-OfflineFiles
Date: 2/6/2009 3:31:46 AM
Event ID: 2002
Task Category: None
Level: Information
Keywords:
User: CONTOSOuser1
Computer: machine1.contoso.com
Description:
Sync info for \serverPublicTools
Both client and server copies exist.
DirChangedOnServer

Log Name: Microsoft-Windows-OfflineFiles/SyncLog
Source: Microsoft-Windows-OfflineFiles
Date: 2/9/2009 8:53:16 PM
Event ID: 2002
Task Category: None
Level: Information
Keywords:
User: CONTOSOuser1
Computer: machine1.contoso.com
Description:
Sync info for \serverPublic
Both client and server copies exist.
Stable

Above Events is indication of sync action performed.

Log Name: Microsoft-Windows-OfflineFiles/SyncLog
Source: Microsoft-Windows-OfflineFiles
Date: 2/9/2009 8:29:56 PM
Event ID: 2005
Task Category: None
Level: Information
Keywords:
User: CONTOSOuser1
Computer: machine1.contoso.com
Description:
Sync succeeded.
\adportalPublic
Operation: Encrypt or unencrypt directory tree in cache

Above Event is written while either encrypting or decrypting the offline cache.

Consideration when advance logging is enabled.
When enabled Analytic and Debug logs can quickly fill with a large number of entries. For this reason, you will probably want to turn them on for a specified period to gather some troubleshooting data and then turn them off again. You can perform this procedure by using either the Windows interface or a command line.
Note that the procedure documented here can also be implemented for other Applications or Services.

Changes to Offline Files in Windows Vista
Event Logging in Windows Vista

-    Ravi Bakamwar