Solved

Archive Event Logs for 14 days to network location.

Posted on 2010-08-25
10
398 Views
Last Modified: 2013-12-26
Need help archiving event logs from a server to a shared location amongst all of my domain controllers.
All of our DC's (total of 155) are Windows Server 2003.

Need to be able to specify a LIST of servers to run the scheduled task on from one of our root forest DC's.

1.  DailyEventLogArchiving of each EventLog (App,Directory Services, Security, System, FRS) to a shared location accessible by all DC's.

2.  Oldest file is replaced on the 15th day by most recent event log.

3.  Ability to use the system account with backup impersonation (instead of having to create a service account that is a domain admin since it's running on the DC's)

4. Ability to query the exported logs for specific event ID's, etc. PLEASE HELP!
0
Comment
Question by:crezaee
  • 4
  • 3
  • 3
10 Comments
 
LVL 8

Expert Comment

by:SylvainDrapeau
ID: 33528018
Hello !

Building this from scratch is hours of work and I'm not sure anyone will provide you with a complete solution. But here's a starter for you :

http://www.petri.co.il/forums/showthread.php?t=16004

You can modify the script to use a list of servers instead of a static server name. Replacing the log file every 15th time should not be a problem. The tricky part will be to query the backup files. Right now I don't have a simple solution.

Syldra
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 33530042
Hi, you could also start here, in terms of querying the event logs:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_26389889.html

Which uses Microsoft's PSLogList.exe tool.  It allows a username and password to be supplied, and could output 14 days worth of events (by using the -a switch) to a CSV file.

Regards,

Rob.
0
 
LVL 1

Author Comment

by:crezaee
ID: 33533521
SylvainDrapeau,

OK.  Thanks.  If I don't need any way to query the archived event files could you help?  There are typos in that code you linked.

1. Backup all event logs from DC's to network location, keep for 14 days, overwrite oldest file with new file after 14 days.

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 8

Expert Comment

by:SylvainDrapeau
ID: 33536469
Oh... I did not test the code, I didn't know there were errors, sorry about that.

I'll look into it later tonight, with, I hope, a working solution.

Syldra
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 33537900
You could just use the BackupEventLog command in VBScript to back up the logs to EVT files:
http://msdn.microsoft.com/en-us/library/aa384808(VS.85).aspx

Then, you could use PSLogList.exe to query those offline EVT files for anything you were after.

Try this script.  It performs tasks 1 to 3 on all computers in "computers.txt"

It will write to a log file as well.

For task 4, query the EVT files, you can use PSLogList to do that:
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

The -l switch can be pointed to an EVT file.

The only that this script relies on at this point, to back up the remote logs, is that there is the C$ share that exists.  It backs up there first on each remote computer, then moves that EVT to the central location.

Regards,

Rob.
arrEventLogs = Array("Application", "Directory Service", "Security", "System", "File Replication Service")
strInputFile = "computers.txt"
strLogLocation = "\\server\share\ServerEvents\"
If Right(strLogLocation, 1) <> "\" Then strLogLocation = strLogLocation & "\"
strScriptLog = strLogLocation & "ScriptLog.log"
strDate = Year(Date) & Right("0" & Month(Date), 2) & Right("0" & Day(Date), 2)

intDaysToKeep = 14
PurgeFiles strLogLocation, intDaysToKeep

Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
Const intForAppending = 8
Set objScriptLog = objFSO.OpenTextFile(strScriptLog, intForAppending, True)
Set objInputFile = objFSO.OpenTextFile(strInputFile, intForReading, False)
While Not objInputFile.AtEndOfStream
	strComputer = objInputFile.ReadLine
	If Ping(strComputer) = True Then
		On Error Resume Next
		Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
		If Err.Number = 0 Then
			On Error GoTo 0
			For Each strLog In arrEventLogs
				Set colLogs = objWMI.ExecQuery("Select * From Win32_NTEventlogFile Where Logfilename = '" & strLog & "'")
				' colLogs.Count returns 1 if there are events available
				If colLogs.Count = 1 Then
					For Each objLog In colLogs
						strLocalBackupFile = "\\" & strComputer & "\C$\" & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"
						strBackupFile = strLogLocation & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"
						On Error Resume Next
						If objFSO.FileExists(strLocalBackupFile) = True Then objFSO.DeleteFile strLocalBackupFile, True
						intReturn = objLog.BackupEventLog(strLocalBackupFile)
						If Err.Number = 0 And intReturn = 0 Then
							On Error GoTo 0
							If objFSO.FileExists(strBackupFile) = True Then objFSO.DeleteFile strBackupFile, True
							objFSO.MoveFile strLocalBackupFile, strBackupFile
							objScriptLog.WriteLine Now & ": " & strLog & " log on " & strComputer & " backed up to " & strBackupFile
						Else
							If Err.Number <> 0 Then
								objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Error " & Err.Number & ": " & Err.Description						
							Else
								objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Return code: " & intReturn
							End If
							Err.Clear
							On Error GoTo 0
						End If
					Next
				Else
					objScriptLog.WriteLine Now & ": There are no events in the " & strLog & " log on " & strComputer
				End If
			Next
		Else
			objScriptLog.WriteLine Now & ": WMI Error connecting to " & strComputer & ". Error " & Err.Number & ": " & Err.Description
			Err.Clear
			On Error GoTo 0
		End If
	Else
		On Error GoTo 0
		objScriptLog.WriteLine Now & ": " & strComputer & " is offline."
	End If
Wend
objInputFile.Close
objScriptLog.Close

MsgBox "Done. Please see " & strScriptLog

Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Sub PurgeFiles(strPath, intDaysOld)
	Set objFSO = CreateObject("Scripting.FileSystemObject")
	dtePurgeDate = DateAdd("d", -intDaysOld, Date)
	For Each objFile In objFSO.GetFolder(strPath).Files
		If objFile.DateCreated < dtePurgeDate Then objFSO.DeleteFile objFile.Path, True
	Next
End Sub

Open in new window

0
 
LVL 8

Expert Comment

by:SylvainDrapeau
ID: 33538618
I leave it to you Rob, seems like you've done a nice job here.

Syldra
0
 
LVL 1

Author Comment

by:crezaee
ID: 33561103
Rob,

Seems to be running right now...however i'm getting the following message: (i masked actual server name with *'s)

8/30/2010 2:07:12 PM: Error backing up Security on ************* . Return code: 1450
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 33563338
Hi, error 1450 seems to be "invalid resources".  There is some talk on that error here:
http://support.microsoft.com/kb/317249

But I would first test out if you can manually backup the Security log on that machine.  Is it a domain controller?  This post has had the same issue with a domain controller.....
http://www.servernewsgroups.net/group/microsoft.public.windows.server.scripting/topic23523.aspx

Also, does that server have a C$ share enabled, that you can access?

Try this code....it will check for the C$ share before trying to backup the event log.

Regards,

Rob.
arrEventLogs = Array("Application", "Directory Service", "Security", "System", "File Replication Service")
strInputFile = "computers.txt"
strLogLocation = "\\server\share\ServerEvents\"
If Right(strLogLocation, 1) <> "\" Then strLogLocation = strLogLocation & "\"
strScriptLog = strLogLocation & "ScriptLog.log"
strDate = Year(Date) & Right("0" & Month(Date), 2) & Right("0" & Day(Date), 2)

intDaysToKeep = 14
PurgeFiles strLogLocation, intDaysToKeep

Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
Const intForAppending = 8
Set objScriptLog = objFSO.OpenTextFile(strScriptLog, intForAppending, True)
Set objInputFile = objFSO.OpenTextFile(strInputFile, intForReading, False)
While Not objInputFile.AtEndOfStream
	strComputer = objInputFile.ReadLine
	If Ping(strComputer) = True Then
		On Error Resume Next
		Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Backup,Security)}!\\" & strComputer & "\root\cimv2")
		If Err.Number = 0 Then
			On Error GoTo 0
			For Each strLog In arrEventLogs
				Set colLogs = objWMI.ExecQuery("Select * From Win32_NTEventlogFile Where Logfilename = '" & strLog & "'")
				' colLogs.Count returns 1 if there are events available
				If colLogs.Count = 1 Then
					For Each objLog In colLogs
						strLocalBackupFile = "\\" & strComputer & "\C$\" & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"
						strBackupFile = strLogLocation & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"
						On Error Resume Next
						If objFSO.FolderExists("\\" & strComputer & "\C$") = True Then
							If objFSO.FileExists(strLocalBackupFile) = True Then objFSO.DeleteFile strLocalBackupFile, True
							intReturn = objLog.BackupEventLog(strLocalBackupFile)
							If Err.Number = 0 And intReturn = 0 Then
								On Error GoTo 0
								If objFSO.FileExists(strBackupFile) = True Then objFSO.DeleteFile strBackupFile, True
								objFSO.MoveFile strLocalBackupFile, strBackupFile
								objScriptLog.WriteLine Now & ": " & strLog & " log on " & strComputer & " backed up to " & strBackupFile
							Else
								If Err.Number <> 0 Then
									objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Error " & Err.Number & ": " & Err.Description						
								Else
									objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Return code: " & intReturn
								End If
								Err.Clear
								On Error GoTo 0
							End If
						Else
							objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". C$ share does not exist on " & strComputer
						End If
					Next
				Else
					objScriptLog.WriteLine Now & ": There are no events in the " & strLog & " log on " & strComputer
				End If
			Next
		Else
			objScriptLog.WriteLine Now & ": WMI Error connecting to " & strComputer & ". Error " & Err.Number & ": " & Err.Description
			Err.Clear
			On Error GoTo 0
		End If
	Else
		On Error GoTo 0
		objScriptLog.WriteLine Now & ": " & strComputer & " is offline."
	End If
Wend
objInputFile.Close
objScriptLog.Close

MsgBox "Done. Please see " & strScriptLog

Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Sub PurgeFiles(strPath, intDaysOld)
	Set objFSO = CreateObject("Scripting.FileSystemObject")
	dtePurgeDate = DateAdd("d", -intDaysOld, Date)
	For Each objFile In objFSO.GetFolder(strPath).Files
		If objFile.DateCreated < dtePurgeDate Then objFSO.DeleteFile objFile.Path, True
	Next
End Sub

Open in new window

0
 
LVL 1

Author Comment

by:crezaee
ID: 33569496
Bingo.  Error 1450 has to do with system resources.  i ran the script before I cleared the security log (which was 118MB) and it failed.... cleared the log...ran the script and the security log backed up perfectly fine.

Would there be anything I could do to query the event logs that are dumped afterwards? I'm thinking my best approach would be to do some kind of hourly export to a database the that only imports stuff for example from 1PM-1:59PM.  Then the next task would be 2PM-2:59, 3PM-3:59, etc, etc.

Could you recommend what you would do personally?

I'm going to accept this solution but please give me some input on what to do for querying with the .evt files that are dumped to the remote share.



0
 
LVL 65

Expert Comment

by:RobSampson
ID: 33572606
Sure, to query the EVT files, you can use PSLogList to do that:
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

The -l switch can be pointed to an EVT file.

Running a command like
psloglist.exe -accepteula -m 60 -l \\server\share\EventLog.evt

which would retrieve events for the last 60 minutes from that log file.

Regards,

Rob.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question