Archive Event Logs for 14 days to network location.
Need help archiving event logs from a server to a shared location amongst all of my domain controllers.
All of our DC's (total of 155) are Windows Server 2003.
Need to be able to specify a LIST of servers to run the scheduled task on from one of our root forest DC's.
1. DailyEventLogArchiving of each EventLog (App,Directory Services, Security, System, FRS) to a shared location accessible by all DC's.
2. Oldest file is replaced on the 15th day by most recent event log.
3. Ability to use the system account with backup impersonation (instead of having to create a service account that is a domain admin since it's running on the DC's)
4. Ability to query the exported logs for specific event ID's, etc. PLEASE HELP!
All of our DC's (total of 155) are Windows Server 2003.
Need to be able to specify a LIST of servers to run the scheduled task on from one of our root forest DC's.
1. DailyEventLogArchiving of each EventLog (App,Directory Services, Security, System, FRS) to a shared location accessible by all DC's.
2. Oldest file is replaced on the 15th day by most recent event log.
3. Ability to use the system account with backup impersonation (instead of having to create a service account that is a domain admin since it's running on the DC's)
4. Ability to query the exported logs for specific event ID's, etc. PLEASE HELP!
Hi, you could also start here, in terms of querying the event logs:
https://www.experts-exchange.com/questions/26389889/Script-that-Checks-event-log-for-Specific-Events-and.html
Which uses Microsoft's PSLogList.exe tool. It allows a username and password to be supplied, and could output 14 days worth of events (by using the -a switch) to a CSV file.
Regards,
Rob.
https://www.experts-exchange.com/questions/26389889/Script-that-Checks-event-log-for-Specific-Events-and.html
Which uses Microsoft's PSLogList.exe tool. It allows a username and password to be supplied, and could output 14 days worth of events (by using the -a switch) to a CSV file.
Regards,
Rob.
ASKER
SylvainDrapeau,
OK. Thanks. If I don't need any way to query the archived event files could you help? There are typos in that code you linked.
1. Backup all event logs from DC's to network location, keep for 14 days, overwrite oldest file with new file after 14 days.
OK. Thanks. If I don't need any way to query the archived event files could you help? There are typos in that code you linked.
1. Backup all event logs from DC's to network location, keep for 14 days, overwrite oldest file with new file after 14 days.
Oh... I did not test the code, I didn't know there were errors, sorry about that.
I'll look into it later tonight, with, I hope, a working solution.
Syldra
I'll look into it later tonight, with, I hope, a working solution.
Syldra
You could just use the BackupEventLog command in VBScript to back up the logs to EVT files:
http://msdn.microsoft.com/en-us/library/aa384808(VS.85).aspx
Then, you could use PSLogList.exe to query those offline EVT files for anything you were after.
Try this script. It performs tasks 1 to 3 on all computers in "computers.txt"
It will write to a log file as well.
For task 4, query the EVT files, you can use PSLogList to do that:
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx
The -l switch can be pointed to an EVT file.
The only that this script relies on at this point, to back up the remote logs, is that there is the C$ share that exists. It backs up there first on each remote computer, then moves that EVT to the central location.
Regards,
Rob.
http://msdn.microsoft.com/en-us/library/aa384808(VS.85).aspx
Then, you could use PSLogList.exe to query those offline EVT files for anything you were after.
Try this script. It performs tasks 1 to 3 on all computers in "computers.txt"
It will write to a log file as well.
For task 4, query the EVT files, you can use PSLogList to do that:
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx
The -l switch can be pointed to an EVT file.
The only that this script relies on at this point, to back up the remote logs, is that there is the C$ share that exists. It backs up there first on each remote computer, then moves that EVT to the central location.
Regards,
Rob.
arrEventLogs = Array("Application", "Directory Service", "Security", "System", "File Replication Service")
strInputFile = "computers.txt"
strLogLocation = "\\server\share\ServerEvents\"
If Right(strLogLocation, 1) <> "\" Then strLogLocation = strLogLocation & "\"
strScriptLog = strLogLocation & "ScriptLog.log"
strDate = Year(Date) & Right("0" & Month(Date), 2) & Right("0" & Day(Date), 2)
intDaysToKeep = 14
PurgeFiles strLogLocation, intDaysToKeep
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
Const intForAppending = 8
Set objScriptLog = objFSO.OpenTextFile(strScriptLog, intForAppending, True)
Set objInputFile = objFSO.OpenTextFile(strInputFile, intForReading, False)
While Not objInputFile.AtEndOfStream
strComputer = objInputFile.ReadLine
If Ping(strComputer) = True Then
On Error Resume Next
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
If Err.Number = 0 Then
On Error GoTo 0
For Each strLog In arrEventLogs
Set colLogs = objWMI.ExecQuery("Select * From Win32_NTEventlogFile Where Logfilename = '" & strLog & "'")
' colLogs.Count returns 1 if there are events available
If colLogs.Count = 1 Then
For Each objLog In colLogs
strLocalBackupFile = "\\" & strComputer & "\C$\" & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"
strBackupFile = strLogLocation & strComputer & "_" & Replace(strLog, " ", "_") & "_" & strDate & ".evt"
On Error Resume Next
If objFSO.FileExists(strLocalBackupFile) = True Then objFSO.DeleteFile strLocalBackupFile, True
intReturn = objLog.BackupEventLog(strLocalBackupFile)
If Err.Number = 0 And intReturn = 0 Then
On Error GoTo 0
If objFSO.FileExists(strBackupFile) = True Then objFSO.DeleteFile strBackupFile, True
objFSO.MoveFile strLocalBackupFile, strBackupFile
objScriptLog.WriteLine Now & ": " & strLog & " log on " & strComputer & " backed up to " & strBackupFile
Else
If Err.Number <> 0 Then
objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Error " & Err.Number & ": " & Err.Description
Else
objScriptLog.WriteLine Now & ": Error backing up " & strLog & " on " & strComputer & ". Return code: " & intReturn
End If
Err.Clear
On Error GoTo 0
End If
Next
Else
objScriptLog.WriteLine Now & ": There are no events in the " & strLog & " log on " & strComputer
End If
Next
Else
objScriptLog.WriteLine Now & ": WMI Error connecting to " & strComputer & ". Error " & Err.Number & ": " & Err.Description
Err.Clear
On Error GoTo 0
End If
Else
On Error GoTo 0
objScriptLog.WriteLine Now & ": " & strComputer & " is offline."
End If
Wend
objInputFile.Close
objScriptLog.Close
MsgBox "Done. Please see " & strScriptLog
Function Ping(strComputer)
Dim objShell, boolCode
Set objShell = CreateObject("WScript.Shell")
boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
If boolCode = 0 Then
Ping = True
Else
Ping = False
End If
End Function
Sub PurgeFiles(strPath, intDaysOld)
Set objFSO = CreateObject("Scripting.FileSystemObject")
dtePurgeDate = DateAdd("d", -intDaysOld, Date)
For Each objFile In objFSO.GetFolder(strPath).Files
If objFile.DateCreated < dtePurgeDate Then objFSO.DeleteFile objFile.Path, True
Next
End Sub
I leave it to you Rob, seems like you've done a nice job here.
Syldra
Syldra
ASKER
Rob,
Seems to be running right now...however i'm getting the following message: (i masked actual server name with *'s)
8/30/2010 2:07:12 PM: Error backing up Security on ************* . Return code: 1450
Seems to be running right now...however i'm getting the following message: (i masked actual server name with *'s)
8/30/2010 2:07:12 PM: Error backing up Security on ************* . Return code: 1450
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Bingo. Error 1450 has to do with system resources. i ran the script before I cleared the security log (which was 118MB) and it failed.... cleared the log...ran the script and the security log backed up perfectly fine.
Would there be anything I could do to query the event logs that are dumped afterwards? I'm thinking my best approach would be to do some kind of hourly export to a database the that only imports stuff for example from 1PM-1:59PM. Then the next task would be 2PM-2:59, 3PM-3:59, etc, etc.
Could you recommend what you would do personally?
I'm going to accept this solution but please give me some input on what to do for querying with the .evt files that are dumped to the remote share.
Would there be anything I could do to query the event logs that are dumped afterwards? I'm thinking my best approach would be to do some kind of hourly export to a database the that only imports stuff for example from 1PM-1:59PM. Then the next task would be 2PM-2:59, 3PM-3:59, etc, etc.
Could you recommend what you would do personally?
I'm going to accept this solution but please give me some input on what to do for querying with the .evt files that are dumped to the remote share.
Sure, to query the EVT files, you can use PSLogList to do that:
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx
The -l switch can be pointed to an EVT file.
Running a command like
psloglist.exe -accepteula -m 60 -l \\server\share\EventLog.ev
which would retrieve events for the last 60 minutes from that log file.
Regards,
Rob.
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx
The -l switch can be pointed to an EVT file.
Running a command like
psloglist.exe -accepteula -m 60 -l \\server\share\EventLog.ev
which would retrieve events for the last 60 minutes from that log file.
Regards,
Rob.
Building this from scratch is hours of work and I'm not sure anyone will provide you with a complete solution. But here's a starter for you :
http://www.petri.co.il/forums/showthread.php?t=16004
You can modify the script to use a list of servers instead of a static server name. Replacing the log file every 15th time should not be a problem. The tricky part will be to query the backup files. Right now I don't have a simple solution.
Syldra