Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


retaining security logs...Is this right?  suggestions?

Posted on 2009-05-12
Medium Priority
Last Modified: 2012-08-14
Hi all,
I have a customer who is trying to save 3 months worth of security logs (auditing enabled) online for a server.  Windows 2003 Standard R2 SP2 32bit (VM).  The log file will not be large enough to hold this amount.  I am looking for a CHEAP and easy way to give the customer what they want.   I am looking for ideas on how I can go about doing this.  Just doing some brainstorming here, but could I just create a script to copy the security event log file over to the other local drive (also including a timestamp in the filename of the copied file)?  ...And if by doing that, I would like to also create something in the script that checks for and deletes old security logs (older than 3 months).  
A couple problems/things to know:
-my current log size to hold 1-2 days worth of logs is about 200MB.  So each time I copy the file, it's another 200MB added to the archive location (let's say on the D: drive).  Is this the best way?
-I can't install any extra software on this server...I need to use existing built in functionality.
-I am not a scripter...by any means, so please be detailed in your responses.

Please, if you have any other suggestions, enlighten me.  This was just my 1st thought of how to give them 3 months worth of online logs to look at when the log file will not hold that amount on its own.

Server - Windows Server 2003 R2 SP2 x86
Security log location - is default
log size - is set for max size of 204800 kb
log behavior when max size is reached - overwrite events as needed
free space - 20GB to work with

Thanks in advance for any help you all can provide!
Question by:HelpyHelperton
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1

Assisted Solution

bootreboot earned 400 total points
ID: 24367336
i use a program by AdventNet called Eventlog Analyzer.  I'm monitoring 30+ workstations, aproxomately 20 firewalls, and 3 servers.  All with full logginging enabled.  I keep my log files for 3 months and then migrate the data to an external drive for archival purposes.  My database currently sits at 220 Gigs, but the program is inexpensive.

Author Comment

ID: 24367390
thanks for the info, but I cannot install any software on the server, and I cannot spend any $$

Assisted Solution

bootreboot earned 400 total points
ID: 24367531
Fair enough... is your client doing this for compliance purposes (PCI, SOX, SAS 70)?

there is a script on this page that will probably help you out:
Flash Sale! Good things come in big bundles

Save over 50% on our fully managed dedicated server bundle for Labor Day. Plus FREE Guardian Backups, FREE Advanced DDoS Protection and FREE Plesk Onyx Web Pro Edition.

LVL 16

Accepted Solution

craylord earned 1400 total points
ID: 24367782
I would recommend PSLoglist. Its free, requires no install and easy to script into a scheduled batch file.


psloglist.exe -s -x security >> %SystemRoot%\newly_created_file.csv

If you add -c it will clear out the log file after its dumped. Granted these new files may be large, but you can easily zip them up using with 7-Zip via the command line.


7za.exe a -tzip %SystemRoot%\archived\newlyzippedfiles.zip %SystemRoot%\*.csv
7za.exe a -tzip <destination zip file> <wildcarrd search and include all *.csv>
LVL 20

Assisted Solution

marsilies earned 200 total points
ID: 24368024
You may want to Zip the log files if space is an issue. Zipping should greatly reduce the amount of space they take up.

Here's how to zip a file using vbscript in Windows XP, should work for 2003:

Here's some sample scripts on making a daily log backup to zip using various methods and programs:

Author Comment

ID: 24368143
I saw that utility and was thinking of using it, but the customer is looking to be able to view the event log from the archived files as they would if it were the actual log files.  So I need to copy the SecEvent.evt file and actually save it as an EVT file so from that server they can just open the file and view the contents within the GUI
LVL 16

Assisted Solution

craylord earned 1400 total points
ID: 24368419
Agreed, it can be cumbersome but using Excel has allowed me to sift through the data much easier than I could via the event viewer. Particularily the filtering in Excel 2007 has a phenomanal upgrade. Itll let you drill down and provide a range of data whether its from date to date or all entries for a set of event ids.

If you have Excel 2007, Id at least recommend dumping a log to try the autofilter with its new interface. With it I no longer shudder when someone says I need the all the local logons (type 2) from day xx to day yy.

I think if they want a fancy interface to read logs, then their only option will probably to fork out $$.

Author Comment

ID: 24398755
FYI all,
I have talked the customer into using psloglist (yey) to archive the log files which I will be doing.  I was going to create a batch file to run daily and backup the last 30 hours (leave a little room for overlap) in the Security log and dump it into a csv file with the datestamp attached.  Question:
Is this syntax correct for doing the above in a batch file?
psloglist -s -h 30 Security >> D:\Eventbackup\SecurityLog%Date%.csv

2nd thing I was going to do was create a batch file to run once a week to delete files in the Eventbackup folder older than 95 days (again, a little room for overlap).  There is a program in Windows 2003 that lets you do this that I did not know existed until today...Forfiles.exe.  
Question #2:
Would the following syntax be correct for this to run in a batch file?
Forfiles /p D:\Eventbackup /s /m *.* /d -95 /c "cmd /c del /q @path"

Thanks all

Author Comment

ID: 24813488
all I'm very sorry for abandoning the post...was out of office for a long time.  Thanks for the great feedback.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question