retaining security logs...Is this right?  suggestions?

Posted on 2009-05-12
Last Modified: 2012-08-14
Hi all,
I have a customer who is trying to save 3 months worth of security logs (auditing enabled) online for a server.  Windows 2003 Standard R2 SP2 32bit (VM).  The log file will not be large enough to hold this amount.  I am looking for a CHEAP and easy way to give the customer what they want.   I am looking for ideas on how I can go about doing this.  Just doing some brainstorming here, but could I just create a script to copy the security event log file over to the other local drive (also including a timestamp in the filename of the copied file)?  ...And if by doing that, I would like to also create something in the script that checks for and deletes old security logs (older than 3 months).  
A couple problems/things to know:
-my current log size to hold 1-2 days worth of logs is about 200MB.  So each time I copy the file, it's another 200MB added to the archive location (let's say on the D: drive).  Is this the best way?
-I can't install any extra software on this server...I need to use existing built in functionality.
-I am not a any means, so please be detailed in your responses.

Please, if you have any other suggestions, enlighten me.  This was just my 1st thought of how to give them 3 months worth of online logs to look at when the log file will not hold that amount on its own.

Server - Windows Server 2003 R2 SP2 x86
Security log location - is default
log size - is set for max size of 204800 kb
log behavior when max size is reached - overwrite events as needed
free space - 20GB to work with

Thanks in advance for any help you all can provide!
Question by:HelpyHelperton
  • 4
  • 2
  • 2
  • +1

Assisted Solution

bootreboot earned 100 total points
ID: 24367336
i use a program by AdventNet called Eventlog Analyzer.  I'm monitoring 30+ workstations, aproxomately 20 firewalls, and 3 servers.  All with full logginging enabled.  I keep my log files for 3 months and then migrate the data to an external drive for archival purposes.  My database currently sits at 220 Gigs, but the program is inexpensive.

Author Comment

ID: 24367390
thanks for the info, but I cannot install any software on the server, and I cannot spend any $$

Assisted Solution

bootreboot earned 100 total points
ID: 24367531
Fair enough... is your client doing this for compliance purposes (PCI, SOX, SAS 70)?

there is a script on this page that will probably help you out:
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 16

Accepted Solution

craylord earned 350 total points
ID: 24367782
I would recommend PSLoglist. Its free, requires no install and easy to script into a scheduled batch file.

psloglist.exe -s -x security >> %SystemRoot%\newly_created_file.csv

If you add -c it will clear out the log file after its dumped. Granted these new files may be large, but you can easily zip them up using with 7-Zip via the command line.

7za.exe a -tzip %SystemRoot%\archived\ %SystemRoot%\*.csv
7za.exe a -tzip <destination zip file> <wildcarrd search and include all *.csv>
LVL 19

Assisted Solution

marsilies earned 50 total points
ID: 24368024
You may want to Zip the log files if space is an issue. Zipping should greatly reduce the amount of space they take up.

Here's how to zip a file using vbscript in Windows XP, should work for 2003:

Here's some sample scripts on making a daily log backup to zip using various methods and programs:

Author Comment

ID: 24368143
I saw that utility and was thinking of using it, but the customer is looking to be able to view the event log from the archived files as they would if it were the actual log files.  So I need to copy the SecEvent.evt file and actually save it as an EVT file so from that server they can just open the file and view the contents within the GUI
LVL 16

Assisted Solution

craylord earned 350 total points
ID: 24368419
Agreed, it can be cumbersome but using Excel has allowed me to sift through the data much easier than I could via the event viewer. Particularily the filtering in Excel 2007 has a phenomanal upgrade. Itll let you drill down and provide a range of data whether its from date to date or all entries for a set of event ids.

If you have Excel 2007, Id at least recommend dumping a log to try the autofilter with its new interface. With it I no longer shudder when someone says I need the all the local logons (type 2) from day xx to day yy.

I think if they want a fancy interface to read logs, then their only option will probably to fork out $$.

Author Comment

ID: 24398755
FYI all,
I have talked the customer into using psloglist (yey) to archive the log files which I will be doing.  I was going to create a batch file to run daily and backup the last 30 hours (leave a little room for overlap) in the Security log and dump it into a csv file with the datestamp attached.  Question:
Is this syntax correct for doing the above in a batch file?
psloglist -s -h 30 Security >> D:\Eventbackup\SecurityLog%Date%.csv

2nd thing I was going to do was create a batch file to run once a week to delete files in the Eventbackup folder older than 95 days (again, a little room for overlap).  There is a program in Windows 2003 that lets you do this that I did not know existed until today...Forfiles.exe.  
Question #2:
Would the following syntax be correct for this to run in a batch file?
Forfiles /p D:\Eventbackup /s /m *.* /d -95 /c "cmd /c del /q @path"

Thanks all

Author Comment

ID: 24813488
all I'm very sorry for abandoning the post...was out of office for a long time.  Thanks for the great feedback.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question