Solved

retaining security logs...Is this right?  suggestions?

Posted on 2009-05-12
9
876 Views
Last Modified: 2012-08-14
Hi all,
I have a customer who is trying to save 3 months worth of security logs (auditing enabled) online for a server.  Windows 2003 Standard R2 SP2 32bit (VM).  The log file will not be large enough to hold this amount.  I am looking for a CHEAP and easy way to give the customer what they want.   I am looking for ideas on how I can go about doing this.  Just doing some brainstorming here, but could I just create a script to copy the security event log file over to the other local drive (also including a timestamp in the filename of the copied file)?  ...And if by doing that, I would like to also create something in the script that checks for and deletes old security logs (older than 3 months).  
A couple problems/things to know:
-my current log size to hold 1-2 days worth of logs is about 200MB.  So each time I copy the file, it's another 200MB added to the archive location (let's say on the D: drive).  Is this the best way?
-I can't install any extra software on this server...I need to use existing built in functionality.
-I am not a scripter...by any means, so please be detailed in your responses.

Please, if you have any other suggestions, enlighten me.  This was just my 1st thought of how to give them 3 months worth of online logs to look at when the log file will not hold that amount on its own.


CURRENT SETUP:
Server - Windows Server 2003 R2 SP2 x86
Security log location - is default
log size - is set for max size of 204800 kb
log behavior when max size is reached - overwrite events as needed
free space - 20GB to work with


Thanks in advance for any help you all can provide!
0
Comment
Question by:HelpyHelperton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 2

Assisted Solution

by:bootreboot
bootreboot earned 100 total points
ID: 24367336
i use a program by AdventNet called Eventlog Analyzer.  I'm monitoring 30+ workstations, aproxomately 20 firewalls, and 3 servers.  All with full logginging enabled.  I keep my log files for 3 months and then migrate the data to an external drive for archival purposes.  My database currently sits at 220 Gigs, but the program is inexpensive.
0
 

Author Comment

by:HelpyHelperton
ID: 24367390
thanks for the info, but I cannot install any software on the server, and I cannot spend any $$
0
 
LVL 2

Assisted Solution

by:bootreboot
bootreboot earned 100 total points
ID: 24367531
Fair enough... is your client doing this for compliance purposes (PCI, SOX, SAS 70)?

there is a script on this page that will probably help you out:
http://www.scriptinganswers.com/vault/Event%20Logs%20and%20Logging/
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 16

Accepted Solution

by:
craylord earned 350 total points
ID: 24367782
I would recommend PSLoglist. Its free, requires no install and easy to script into a scheduled batch file.

http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

psloglist.exe -s -x security >> %SystemRoot%\newly_created_file.csv

If you add -c it will clear out the log file after its dumped. Granted these new files may be large, but you can easily zip them up using with 7-Zip via the command line.

http://sourceforge.net/projects/sevenzip/

7za.exe a -tzip %SystemRoot%\archived\newlyzippedfiles.zip %SystemRoot%\*.csv
or
7za.exe a -tzip <destination zip file> <wildcarrd search and include all *.csv>
0
 
LVL 20

Assisted Solution

by:marsilies
marsilies earned 50 total points
ID: 24368024
You may want to Zip the log files if space is an issue. Zipping should greatly reduce the amount of space they take up.

Here's how to zip a file using vbscript in Windows XP, should work for 2003:
http://forum.soft32.com/windows/ZIP-UNZIP-VBScript-Windows-XP-ftopict278165.html

Here's some sample scripts on making a daily log backup to zip using various methods and programs:
http://stackoverflow.com/questions/29496/automated-script-to-zip-iis-logs
0
 

Author Comment

by:HelpyHelperton
ID: 24368143
Craylord,
I saw that utility and was thinking of using it, but the customer is looking to be able to view the event log from the archived files as they would if it were the actual log files.  So I need to copy the SecEvent.evt file and actually save it as an EVT file so from that server they can just open the file and view the contents within the GUI
0
 
LVL 16

Assisted Solution

by:craylord
craylord earned 350 total points
ID: 24368419
Agreed, it can be cumbersome but using Excel has allowed me to sift through the data much easier than I could via the event viewer. Particularily the filtering in Excel 2007 has a phenomanal upgrade. Itll let you drill down and provide a range of data whether its from date to date or all entries for a set of event ids.

If you have Excel 2007, Id at least recommend dumping a log to try the autofilter with its new interface. With it I no longer shudder when someone says I need the all the local logons (type 2) from day xx to day yy.

I think if they want a fancy interface to read logs, then their only option will probably to fork out $$.
2007-filter.JPG
0
 

Author Comment

by:HelpyHelperton
ID: 24398755
FYI all,
I have talked the customer into using psloglist (yey) to archive the log files which I will be doing.  I was going to create a batch file to run daily and backup the last 30 hours (leave a little room for overlap) in the Security log and dump it into a csv file with the datestamp attached.  Question:
Is this syntax correct for doing the above in a batch file?
psloglist -s -h 30 Security >> D:\Eventbackup\SecurityLog%Date%.csv

2nd thing I was going to do was create a batch file to run once a week to delete files in the Eventbackup folder older than 95 days (again, a little room for overlap).  There is a program in Windows 2003 that lets you do this that I did not know existed until today...Forfiles.exe.  
Question #2:
Would the following syntax be correct for this to run in a batch file?
Forfiles /p D:\Eventbackup /s /m *.* /d -95 /c "cmd /c del /q @path"


Thanks all
0
 

Author Comment

by:HelpyHelperton
ID: 24813488
all I'm very sorry for abandoning the post...was out of office for a long time.  Thanks for the great feedback.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question