Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

retaining security logs...Is this right?  suggestions?

Posted on 2009-05-12
9
Medium Priority
?
906 Views
Last Modified: 2012-08-14
Hi all,
I have a customer who is trying to save 3 months worth of security logs (auditing enabled) online for a server.  Windows 2003 Standard R2 SP2 32bit (VM).  The log file will not be large enough to hold this amount.  I am looking for a CHEAP and easy way to give the customer what they want.   I am looking for ideas on how I can go about doing this.  Just doing some brainstorming here, but could I just create a script to copy the security event log file over to the other local drive (also including a timestamp in the filename of the copied file)?  ...And if by doing that, I would like to also create something in the script that checks for and deletes old security logs (older than 3 months).  
A couple problems/things to know:
-my current log size to hold 1-2 days worth of logs is about 200MB.  So each time I copy the file, it's another 200MB added to the archive location (let's say on the D: drive).  Is this the best way?
-I can't install any extra software on this server...I need to use existing built in functionality.
-I am not a scripter...by any means, so please be detailed in your responses.

Please, if you have any other suggestions, enlighten me.  This was just my 1st thought of how to give them 3 months worth of online logs to look at when the log file will not hold that amount on its own.


CURRENT SETUP:
Server - Windows Server 2003 R2 SP2 x86
Security log location - is default
log size - is set for max size of 204800 kb
log behavior when max size is reached - overwrite events as needed
free space - 20GB to work with


Thanks in advance for any help you all can provide!
0
Comment
Question by:HelpyHelperton
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 2

Assisted Solution

by:bootreboot
bootreboot earned 400 total points
ID: 24367336
i use a program by AdventNet called Eventlog Analyzer.  I'm monitoring 30+ workstations, aproxomately 20 firewalls, and 3 servers.  All with full logginging enabled.  I keep my log files for 3 months and then migrate the data to an external drive for archival purposes.  My database currently sits at 220 Gigs, but the program is inexpensive.
0
 

Author Comment

by:HelpyHelperton
ID: 24367390
thanks for the info, but I cannot install any software on the server, and I cannot spend any $$
0
 
LVL 2

Assisted Solution

by:bootreboot
bootreboot earned 400 total points
ID: 24367531
Fair enough... is your client doing this for compliance purposes (PCI, SOX, SAS 70)?

there is a script on this page that will probably help you out:
http://www.scriptinganswers.com/vault/Event%20Logs%20and%20Logging/
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Accepted Solution

by:
craylord earned 1400 total points
ID: 24367782
I would recommend PSLoglist. Its free, requires no install and easy to script into a scheduled batch file.

http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

psloglist.exe -s -x security >> %SystemRoot%\newly_created_file.csv

If you add -c it will clear out the log file after its dumped. Granted these new files may be large, but you can easily zip them up using with 7-Zip via the command line.

http://sourceforge.net/projects/sevenzip/

7za.exe a -tzip %SystemRoot%\archived\newlyzippedfiles.zip %SystemRoot%\*.csv
or
7za.exe a -tzip <destination zip file> <wildcarrd search and include all *.csv>
0
 
LVL 20

Assisted Solution

by:marsilies
marsilies earned 200 total points
ID: 24368024
You may want to Zip the log files if space is an issue. Zipping should greatly reduce the amount of space they take up.

Here's how to zip a file using vbscript in Windows XP, should work for 2003:
http://forum.soft32.com/windows/ZIP-UNZIP-VBScript-Windows-XP-ftopict278165.html

Here's some sample scripts on making a daily log backup to zip using various methods and programs:
http://stackoverflow.com/questions/29496/automated-script-to-zip-iis-logs
0
 

Author Comment

by:HelpyHelperton
ID: 24368143
Craylord,
I saw that utility and was thinking of using it, but the customer is looking to be able to view the event log from the archived files as they would if it were the actual log files.  So I need to copy the SecEvent.evt file and actually save it as an EVT file so from that server they can just open the file and view the contents within the GUI
0
 
LVL 16

Assisted Solution

by:craylord
craylord earned 1400 total points
ID: 24368419
Agreed, it can be cumbersome but using Excel has allowed me to sift through the data much easier than I could via the event viewer. Particularily the filtering in Excel 2007 has a phenomanal upgrade. Itll let you drill down and provide a range of data whether its from date to date or all entries for a set of event ids.

If you have Excel 2007, Id at least recommend dumping a log to try the autofilter with its new interface. With it I no longer shudder when someone says I need the all the local logons (type 2) from day xx to day yy.

I think if they want a fancy interface to read logs, then their only option will probably to fork out $$.
2007-filter.JPG
0
 

Author Comment

by:HelpyHelperton
ID: 24398755
FYI all,
I have talked the customer into using psloglist (yey) to archive the log files which I will be doing.  I was going to create a batch file to run daily and backup the last 30 hours (leave a little room for overlap) in the Security log and dump it into a csv file with the datestamp attached.  Question:
Is this syntax correct for doing the above in a batch file?
psloglist -s -h 30 Security >> D:\Eventbackup\SecurityLog%Date%.csv

2nd thing I was going to do was create a batch file to run once a week to delete files in the Eventbackup folder older than 95 days (again, a little room for overlap).  There is a program in Windows 2003 that lets you do this that I did not know existed until today...Forfiles.exe.  
Question #2:
Would the following syntax be correct for this to run in a batch file?
Forfiles /p D:\Eventbackup /s /m *.* /d -95 /c "cmd /c del /q @path"


Thanks all
0
 

Author Comment

by:HelpyHelperton
ID: 24813488
all I'm very sorry for abandoning the post...was out of office for a long time.  Thanks for the great feedback.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question