Solved

retaining security logs...Is this right?  suggestions?

Posted on 2009-05-12
9
861 Views
Last Modified: 2012-08-14
Hi all,
I have a customer who is trying to save 3 months worth of security logs (auditing enabled) online for a server.  Windows 2003 Standard R2 SP2 32bit (VM).  The log file will not be large enough to hold this amount.  I am looking for a CHEAP and easy way to give the customer what they want.   I am looking for ideas on how I can go about doing this.  Just doing some brainstorming here, but could I just create a script to copy the security event log file over to the other local drive (also including a timestamp in the filename of the copied file)?  ...And if by doing that, I would like to also create something in the script that checks for and deletes old security logs (older than 3 months).  
A couple problems/things to know:
-my current log size to hold 1-2 days worth of logs is about 200MB.  So each time I copy the file, it's another 200MB added to the archive location (let's say on the D: drive).  Is this the best way?
-I can't install any extra software on this server...I need to use existing built in functionality.
-I am not a scripter...by any means, so please be detailed in your responses.

Please, if you have any other suggestions, enlighten me.  This was just my 1st thought of how to give them 3 months worth of online logs to look at when the log file will not hold that amount on its own.


CURRENT SETUP:
Server - Windows Server 2003 R2 SP2 x86
Security log location - is default
log size - is set for max size of 204800 kb
log behavior when max size is reached - overwrite events as needed
free space - 20GB to work with


Thanks in advance for any help you all can provide!
0
Comment
Question by:HelpyHelperton
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 2

Assisted Solution

by:bootreboot
bootreboot earned 100 total points
ID: 24367336
i use a program by AdventNet called Eventlog Analyzer.  I'm monitoring 30+ workstations, aproxomately 20 firewalls, and 3 servers.  All with full logginging enabled.  I keep my log files for 3 months and then migrate the data to an external drive for archival purposes.  My database currently sits at 220 Gigs, but the program is inexpensive.
0
 

Author Comment

by:HelpyHelperton
ID: 24367390
thanks for the info, but I cannot install any software on the server, and I cannot spend any $$
0
 
LVL 2

Assisted Solution

by:bootreboot
bootreboot earned 100 total points
ID: 24367531
Fair enough... is your client doing this for compliance purposes (PCI, SOX, SAS 70)?

there is a script on this page that will probably help you out:
http://www.scriptinganswers.com/vault/Event%20Logs%20and%20Logging/
0
 
LVL 16

Accepted Solution

by:
craylord earned 350 total points
ID: 24367782
I would recommend PSLoglist. Its free, requires no install and easy to script into a scheduled batch file.

http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

psloglist.exe -s -x security >> %SystemRoot%\newly_created_file.csv

If you add -c it will clear out the log file after its dumped. Granted these new files may be large, but you can easily zip them up using with 7-Zip via the command line.

http://sourceforge.net/projects/sevenzip/

7za.exe a -tzip %SystemRoot%\archived\newlyzippedfiles.zip %SystemRoot%\*.csv
or
7za.exe a -tzip <destination zip file> <wildcarrd search and include all *.csv>
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 19

Assisted Solution

by:marsilies
marsilies earned 50 total points
ID: 24368024
You may want to Zip the log files if space is an issue. Zipping should greatly reduce the amount of space they take up.

Here's how to zip a file using vbscript in Windows XP, should work for 2003:
http://forum.soft32.com/windows/ZIP-UNZIP-VBScript-Windows-XP-ftopict278165.html

Here's some sample scripts on making a daily log backup to zip using various methods and programs:
http://stackoverflow.com/questions/29496/automated-script-to-zip-iis-logs
0
 

Author Comment

by:HelpyHelperton
ID: 24368143
Craylord,
I saw that utility and was thinking of using it, but the customer is looking to be able to view the event log from the archived files as they would if it were the actual log files.  So I need to copy the SecEvent.evt file and actually save it as an EVT file so from that server they can just open the file and view the contents within the GUI
0
 
LVL 16

Assisted Solution

by:craylord
craylord earned 350 total points
ID: 24368419
Agreed, it can be cumbersome but using Excel has allowed me to sift through the data much easier than I could via the event viewer. Particularily the filtering in Excel 2007 has a phenomanal upgrade. Itll let you drill down and provide a range of data whether its from date to date or all entries for a set of event ids.

If you have Excel 2007, Id at least recommend dumping a log to try the autofilter with its new interface. With it I no longer shudder when someone says I need the all the local logons (type 2) from day xx to day yy.

I think if they want a fancy interface to read logs, then their only option will probably to fork out $$.
2007-filter.JPG
0
 

Author Comment

by:HelpyHelperton
ID: 24398755
FYI all,
I have talked the customer into using psloglist (yey) to archive the log files which I will be doing.  I was going to create a batch file to run daily and backup the last 30 hours (leave a little room for overlap) in the Security log and dump it into a csv file with the datestamp attached.  Question:
Is this syntax correct for doing the above in a batch file?
psloglist -s -h 30 Security >> D:\Eventbackup\SecurityLog%Date%.csv

2nd thing I was going to do was create a batch file to run once a week to delete files in the Eventbackup folder older than 95 days (again, a little room for overlap).  There is a program in Windows 2003 that lets you do this that I did not know existed until today...Forfiles.exe.  
Question #2:
Would the following syntax be correct for this to run in a batch file?
Forfiles /p D:\Eventbackup /s /m *.* /d -95 /c "cmd /c del /q @path"


Thanks all
0
 

Author Comment

by:HelpyHelperton
ID: 24813488
all I'm very sorry for abandoning the post...was out of office for a long time.  Thanks for the great feedback.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now