Solved

Archive Event Logs for 14 days to network location.

Posted on 2010-08-25
10
386 Views
Last Modified: 2013-12-26
Need help archiving event logs from a server to a shared location amongst all of my domain controllers.
All of our DC's (total of 155) are Windows Server 2003.

Need to be able to specify a LIST of servers to run the scheduled task on from one of our root forest DC's.

1.  DailyEventLogArchiving of each EventLog (App,Directory Services, Security, System, FRS) to a shared location accessible by all DC's.

2.  Oldest file is replaced on the 15th day by most recent event log.

3.  Ability to use the system account with backup impersonation (instead of having to create a service account that is a domain admin since it's running on the DC's)

4. Ability to query the exported logs for specific event ID's, etc. PLEASE HELP!
0
Comment
Question by:crezaee
  • 4
  • 3
  • 3
10 Comments
 
LVL 8

Expert Comment

by:SylvainDrapeau
ID: 33528018
Hello !

Building this from scratch is hours of work and I'm not sure anyone will provide you with a complete solution. But here's a starter for you :

http://www.petri.co.il/forums/showthread.php?t=16004

You can modify the script to use a list of servers instead of a static server name. Replacing the log file every 15th time should not be a problem. The tricky part will be to query the backup files. Right now I don't have a simple solution.

Syldra
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 33530042
Hi, you could also start here, in terms of querying the event logs:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_26389889.html

Which uses Microsoft's PSLogList.exe tool.  It allows a username and password to be supplied, and could output 14 days worth of events (by using the -a switch) to a CSV file.

Regards,

Rob.
0
 
LVL 1

Author Comment

by:crezaee
ID: 33533521
SylvainDrapeau,

OK.  Thanks.  If I don't need any way to query the archived event files could you help?  There are typos in that code you linked.

1. Backup all event logs from DC's to network location, keep for 14 days, overwrite oldest file with new file after 14 days.

0
 
LVL 8

Expert Comment

by:SylvainDrapeau
ID: 33536469
Oh... I did not test the code, I didn't know there were errors, sorry about that.

I'll look into it later tonight, with, I hope, a working solution.

Syldra
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 33537900
You could just use the BackupEventLog command in VBScript to back up the logs to EVT files:
http://msdn.microsoft.com/en-us/library/aa384808(VS.85).aspx

Then, you could use PSLogList.exe to query those offline EVT files for anything you were after.

Try this script.  It performs tasks 1 to 3 on all computers in "computers.txt"

It will write to a log file as well.

For task 4, query the EVT files, you can use PSLogList to do that:
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

The -l switch can be pointed to an EVT file.

The only that this script relies on at this point, to back up the remote logs, is that there is the C$ share that exists.  It backs up there first on each remote computer, then moves that EVT to the central location.

Regards,

Rob.
arrEventLogs = Array("Application", "Directory Service", "Security", "System", "File Replication Service")

strInputFile = "computers.txt"

strLogLocation = "\\server\share\ServerEvents\"

If Right(strLogLocation, 1) <> "\" Then strLogLocation = strLogLocation & "\"

strScriptLog = strLogLocation & "ScriptLog.log"

strDate = Year(Date) & Right("0" & Month(Date), 2) & Right("0" & Day(Date), 2)



intDaysToKeep = 14

PurgeFiles strLogLocation, intDaysToKeep



Set objFSO = CreateObject("Scripting.FileSystemObject")

Const intForReading = 1

Const intForAppending = 8

Set objScriptLog = objFSO.OpenTextFile(strScriptLog, intForAppending, True)

Set objInputFile = objFSO.OpenTextFile(strInputFile, intForReading, False)

While Not objInputFile.AtEndOfStream

	strComputer = objInputFile.ReadLine

	If Ping(strComputer) = True Then

		On Error Resume Next

		Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")

		If Err.Number = 0 Then

			On Error GoTo 0

			For Each strLog In arrEventLogs

				Set colLogs = objWMI.ExecQuery("Select * From Win32_NTEventlogFile Where Logfilename = '" & strLog & "'")

				' colLogs.Count returns 1 if there are events available

				If colLogs.Count = 1 Then

					For Each objLog In colLogs

						strLocalBackupFile = "\\" & strComputer & "\C$\" & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"

						strBackupFile = strLogLocation & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"

						On Error Resume Next

						If objFSO.FileExists(strLocalBackupFile) = True Then objFSO.DeleteFile strLocalBackupFile, True

						intReturn = objLog.BackupEventLog(strLocalBackupFile)

						If Err.Number = 0 And intReturn = 0 Then

							On Error GoTo 0

							If objFSO.FileExists(strBackupFile) = True Then objFSO.DeleteFile strBackupFile, True

							objFSO.MoveFile strLocalBackupFile, strBackupFile

							objScriptLog.WriteLine Now & ": " & strLog & " log on " & strComputer & " backed up to " & strBackupFile

						Else

							If Err.Number <> 0 Then

								objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Error " & Err.Number & ": " & Err.Description						

							Else

								objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Return code: " & intReturn

							End If

							Err.Clear

							On Error GoTo 0

						End If

					Next

				Else

					objScriptLog.WriteLine Now & ": There are no events in the " & strLog & " log on " & strComputer

				End If

			Next

		Else

			objScriptLog.WriteLine Now & ": WMI Error connecting to " & strComputer & ". Error " & Err.Number & ": " & Err.Description

			Err.Clear

			On Error GoTo 0

		End If

	Else

		On Error GoTo 0

		objScriptLog.WriteLine Now & ": " & strComputer & " is offline."

	End If

Wend

objInputFile.Close

objScriptLog.Close



MsgBox "Done. Please see " & strScriptLog



Function Ping(strComputer)

	Dim objShell, boolCode

	Set objShell = CreateObject("WScript.Shell")

	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)

	If boolCode = 0 Then

		Ping = True

	Else

		Ping = False

	End If

End Function



Sub PurgeFiles(strPath, intDaysOld)

	Set objFSO = CreateObject("Scripting.FileSystemObject")

	dtePurgeDate = DateAdd("d", -intDaysOld, Date)

	For Each objFile In objFSO.GetFolder(strPath).Files

		If objFile.DateCreated < dtePurgeDate Then objFSO.DeleteFile objFile.Path, True

	Next

End Sub

Open in new window

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 8

Expert Comment

by:SylvainDrapeau
ID: 33538618
I leave it to you Rob, seems like you've done a nice job here.

Syldra
0
 
LVL 1

Author Comment

by:crezaee
ID: 33561103
Rob,

Seems to be running right now...however i'm getting the following message: (i masked actual server name with *'s)

8/30/2010 2:07:12 PM: Error backing up Security on ************* . Return code: 1450
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 33563338
Hi, error 1450 seems to be "invalid resources".  There is some talk on that error here:
http://support.microsoft.com/kb/317249

But I would first test out if you can manually backup the Security log on that machine.  Is it a domain controller?  This post has had the same issue with a domain controller.....
http://www.servernewsgroups.net/group/microsoft.public.windows.server.scripting/topic23523.aspx

Also, does that server have a C$ share enabled, that you can access?

Try this code....it will check for the C$ share before trying to backup the event log.

Regards,

Rob.
arrEventLogs = Array("Application", "Directory Service", "Security", "System", "File Replication Service")

strInputFile = "computers.txt"

strLogLocation = "\\server\share\ServerEvents\"

If Right(strLogLocation, 1) <> "\" Then strLogLocation = strLogLocation & "\"

strScriptLog = strLogLocation & "ScriptLog.log"

strDate = Year(Date) & Right("0" & Month(Date), 2) & Right("0" & Day(Date), 2)



intDaysToKeep = 14

PurgeFiles strLogLocation, intDaysToKeep



Set objFSO = CreateObject("Scripting.FileSystemObject")

Const intForReading = 1

Const intForAppending = 8

Set objScriptLog = objFSO.OpenTextFile(strScriptLog, intForAppending, True)

Set objInputFile = objFSO.OpenTextFile(strInputFile, intForReading, False)

While Not objInputFile.AtEndOfStream

	strComputer = objInputFile.ReadLine

	If Ping(strComputer) = True Then

		On Error Resume Next

		Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Backup,Security)}!\\" & strComputer & "\root\cimv2")

		If Err.Number = 0 Then

			On Error GoTo 0

			For Each strLog In arrEventLogs

				Set colLogs = objWMI.ExecQuery("Select * From Win32_NTEventlogFile Where Logfilename = '" & strLog & "'")

				' colLogs.Count returns 1 if there are events available

				If colLogs.Count = 1 Then

					For Each objLog In colLogs

						strLocalBackupFile = "\\" & strComputer & "\C$\" & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"

						strBackupFile = strLogLocation & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"

						On Error Resume Next

						If objFSO.FolderExists("\\" & strComputer & "\C$") = True Then

							If objFSO.FileExists(strLocalBackupFile) = True Then objFSO.DeleteFile strLocalBackupFile, True

							intReturn = objLog.BackupEventLog(strLocalBackupFile)

							If Err.Number = 0 And intReturn = 0 Then

								On Error GoTo 0

								If objFSO.FileExists(strBackupFile) = True Then objFSO.DeleteFile strBackupFile, True

								objFSO.MoveFile strLocalBackupFile, strBackupFile

								objScriptLog.WriteLine Now & ": " & strLog & " log on " & strComputer & " backed up to " & strBackupFile

							Else

								If Err.Number <> 0 Then

									objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Error " & Err.Number & ": " & Err.Description						

								Else

									objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Return code: " & intReturn

								End If

								Err.Clear

								On Error GoTo 0

							End If

						Else

							objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". C$ share does not exist on " & strComputer

						End If

					Next

				Else

					objScriptLog.WriteLine Now & ": There are no events in the " & strLog & " log on " & strComputer

				End If

			Next

		Else

			objScriptLog.WriteLine Now & ": WMI Error connecting to " & strComputer & ". Error " & Err.Number & ": " & Err.Description

			Err.Clear

			On Error GoTo 0

		End If

	Else

		On Error GoTo 0

		objScriptLog.WriteLine Now & ": " & strComputer & " is offline."

	End If

Wend

objInputFile.Close

objScriptLog.Close



MsgBox "Done. Please see " & strScriptLog



Function Ping(strComputer)

	Dim objShell, boolCode

	Set objShell = CreateObject("WScript.Shell")

	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)

	If boolCode = 0 Then

		Ping = True

	Else

		Ping = False

	End If

End Function



Sub PurgeFiles(strPath, intDaysOld)

	Set objFSO = CreateObject("Scripting.FileSystemObject")

	dtePurgeDate = DateAdd("d", -intDaysOld, Date)

	For Each objFile In objFSO.GetFolder(strPath).Files

		If objFile.DateCreated < dtePurgeDate Then objFSO.DeleteFile objFile.Path, True

	Next

End Sub

Open in new window

0
 
LVL 1

Author Comment

by:crezaee
ID: 33569496
Bingo.  Error 1450 has to do with system resources.  i ran the script before I cleared the security log (which was 118MB) and it failed.... cleared the log...ran the script and the security log backed up perfectly fine.

Would there be anything I could do to query the event logs that are dumped afterwards? I'm thinking my best approach would be to do some kind of hourly export to a database the that only imports stuff for example from 1PM-1:59PM.  Then the next task would be 2PM-2:59, 3PM-3:59, etc, etc.

Could you recommend what you would do personally?

I'm going to accept this solution but please give me some input on what to do for querying with the .evt files that are dumped to the remote share.



0
 
LVL 65

Expert Comment

by:RobSampson
ID: 33572606
Sure, to query the EVT files, you can use PSLogList to do that:
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

The -l switch can be pointed to an EVT file.

Running a command like
psloglist.exe -accepteula -m 60 -l \\server\share\EventLog.evt

which would retrieve events for the last 60 minutes from that log file.

Regards,

Rob.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now