Troubleshooting Hyper-V with Event Logs

One of the various concerns of a Hyper-V administrator is troubleshooting the Hyper-V environment when problems arise. Common troubleshooting for Hyper-V environments may involve investigating issues around attached storage, networking issues, or perhaps performance issues that may exist in the environment. Whatever the issue may be, Hyper-V administrators must utilize troubleshooting tools available to be able to identify the issue or at least start looking in the right direction for the cause of the issue.

One of the powerful troubleshooting tools at the disposal of the Hyper-V administrator is the Hyper-V event log.

• How can the Hyper-V event log be used in troubleshooting a Hyper-V environment?
• What information is contained in the event logs for Hyper-V?

Let’s take a look at troubleshooting Hyper-V with event log and see how this troubleshooting tool can be effectively used for identifying issues.

Table of Contents

1. Troubleshooting Hyper-V with Event Logs
2. Log file groupings
   • Hyper-V-Compute
   • Hyper-V-Config
   • Hyper-V-Guest-Drivers
   • Hyper-V-High-Availability
   • Hyper-V-Hypervisor
   • Hyper-V-Shared-VHDX
   • Hyper-V-StorageVSP
   • Hyper-V-VID
   • Hyper-V-VMMS
   • Hyper-V-VmSwitch
   • Hyper-V-Worker
3. Taking Hyper-V Troubleshooting with Event Viewer Further
4. Download the PowerShell module and import it
5. Reproduce the Issue and Capture the Logs
6. System Center Virtual Machine Manager Logging
7. Concluding Thoughts

Troubleshooting Hyper-V with Event Logs

The event logs in Windows Server has typically not received the most welcomed reaction from administrators. Typically, most administrators do not like scouring through log entries trying to find the source of the issue. However, with Windows Server hosting Hyper-V, Microsoft has done a much better job of specifically capturing Hyper-V events and organizing the Hyper-V specific logs in such a way that they make sense and are much more intuitive.

Log file groupings

There are (11) different log files that are used to capture Hyper-V information in typical event viewer fashion, albeit in a much more useful manner. Windows Server 2016 contains the following log file groupings to help with troubleshooting Hyper-V environments:

• Hyper-V-Compute – Captures information regarding the container management API known as the Host Compute Service (HCS) and serves as a low-level management API
• Hyper-V-Config – Captures events related to the virtual machine configuration files. Errors that involve virtual machine configuration files either missing, corrupt, or otherwise inaccessible will be logged here
• Hyper-V-Guest-Drivers – Log file that contains information regarding the Hyper-V integration services components and provides valuable information in regards to troubleshooting issues with the integration components
• Hyper-V-High-Availability – Events related to Hyper-V Windows Server Failover Clusters
• Hyper-V-Hypervisor – Events related to the Hyper-V hypervisor itself. If Hyper-V fails to start, look here. Also, informational messages such as Hyper-V partitions created or deleted will be logged here
• Hyper-V-Shared-VHDX – Information specific to shared VHDX virtual disks between virtual machines are found in this log
• Hyper-V-StorageVSP – Captures information regarding the Storage Virtualization Service Provider. This contains low-level troubleshooting information for virtual machine storage
• Hyper-V-VID – Logs events from the Virtualization Infrastructure Driver regarding memory assignment, dynamic memory, or changing static memory with a running virtual machine
• Hyper-V-VMMS – Virtual Machine Management Service events which are valuable in troubleshooting a virtual machine that won’t start or a failed Live Migration operation
• Hyper-V-VmSwitch – Contains events from the virtual network switches
• Hyper-V-Worker – the log that captures Hyper-V worker process information which is responsible for the actual running of the virtual machine

To find the various Hyper-V specific events logs in the Windows Event Viewer, navigate to Windows Logs >> Applications and Services Logs >> Microsoft >> Windows

Taking Hyper-V Troubleshooting with Event Viewer Further

Even though Microsoft has organized the event viewer groups into fairly logical and intuitive channels, some may desire to take the event viewer a step further in the direction of consolidating all the logs into a single view for more easily piecing together issues or troubleshooting an underlying problem.

Switching between the different logs may be a bit cumbersome, especially if more than one Hyper-V component is at play in the issue or various parts of the overall problem picture are found in different logs. There is a GitHub PowerShell module that can be downloaded that allows enabling all the important Windows event channels into a single evtx file to help with troubleshooting.

There are a couple of steps to take advantage of the PowerShell module from GitHub. First, you need to download and import the PowerShell module, then you reproduce the issue which should capture the relevant information in the logs.

Below is a synopsis of the steps found here: https://blogs.technet.microsoft.com/virtualization/2017/10/27/a-great-way-to-collect-logs-for-troubleshooting/

Download the PowerShell module and import it

# Download the current module from GitHub

Invoke-WebRequest “https://github.com/MicrosoftDocs/Virtualization-Documentation/raw/live/hyperv-tools/HyperVLogs/HyperVLogs.psm1” -OutFile “HyperVLogs.psm1”

# Import the module

Import-Module .\HyperVLogs.psm1

Reproduce the Issue and Capture the Logs

# Enable Hyper-V event channels to assist in troubleshooting

Enable-EventChannels -HyperVChannels VMMS, Config, Worker, Compute, VID

# Capture the current time to a variable

$startTime = [System.DateTime]::Now

# Reproduce the issue here

# Write events that happened after “startTime” for the defined channels to a named directory

Save-EventChannels -HyperVChannels VMMS, Config, Worker, Compute, VID -StartTime $startTime

# Disable the analytical and operational logs — by default admin logs are left enabled

Disable-EventChannels -HyperVChannels VMMS, Config, Worker, Compute, VID

System Center Virtual Machine Manager Logging

System Center Virtual Machine Manager or SCVMM provides a powerful interface to managing and troubleshooting Hyper-V environments. In the Hyper-V world, SCVMM provides a “vCenter-like” experience with centralized management of your hosts and clusters.

When using System Center Virtual Machine Manager with the central point of management for Hyper-V, administrators have the ability to have a single pane of glass look at multiple Hyper-V hosts.

Particularly, the Jobs view in System Center Virtual Machine Manager provides a view of all actions in the Hyper-V environment. Taking it a step further, the Details tab of the Jobs view provides a step-by-step overview of the action and any sub-component part of a task that failed.

Below, a failure to create virtual machine task shows the status of Failed. What caused the job to fail? The Details view allows digging further.

On the Details tab, System Center Virtual Machine Manager provides a detailed step-by-step overview of all the steps involved in the particular task executed in SCVMM. Note, below, how SCVMM enumerates the individual steps and shows the exact point the task presented with a failure – “change properties of virtual machine”. This is extremely helpful when you are looking to detail exactly what is causing a global task to fail.

Concluding Thoughts

Troubleshooting Windows Server Hyper-V environments can be intimidating at first glance with the various tools, management interfaces, and complex implementations that may be provisioned in certain environments.

The Event Viewer on a Hyper-V host contains valuable information regarding the various major components that make up the Hyper-V infrastructure. These are separated out into a folder in the Windows Event Viewer Applications and Services node under the Windows parent group. With each of the major Hyper-V components being logged, administrators can pinpoint the nature of a specific Hyper-V error.

However, if administrators want a consolidated view, this can be accomplished with the GitHub PowerShell function that is readily available for download. For a default consolidated and intuitive view of Hyper-V errors, System Center Virtual Machine Manager provides a centralized view of all Hyper-V hosts and clusters and allows a granular look at specific task failures and can even show the step on which a specific task failed. SCVMM is certainly recommended in larger Hyper-V deployments with several hosts and multiple clusters as it can consolidate and streamline troubleshooting time and effort due to the centralized management plan.

Want to know more on Hyper-V? Check out our Beginners’ series on Hyper-V:

Beginners’ Guide for Microsoft Hyper-V: How to use Multipass on Windows Hyper-V – Part 40

Beginners’ Guide for Microsoft Hyper-V: Hyper-V AVHDX Files – Part-56

Safeguard your important data with a reliable Hyper-V backup solution, acting as a robust shield to ensure the safety of your vital information. Experience it for free!

Download BDRSuite now to effortlessly secure your Hyper-V environment and gain peace of mind: Download BDRSuite

Explore more about Hyper-V backup with BDRSuite and witness its effectiveness firsthand: Hyper-V Backup with BDRSuite

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.