Solved

Event Viewer Dumping

Posted on 2010-11-10
5
462 Views
Last Modified: 2012-05-10
Hello All,

I'm trying to find a script or some method to dump all Security Events into a shared UNC path to which I run the batch or script file on, then it should automatically clear the logs. I have a few different methods in place to push out scripts and batch files remotely, but we have a new rentention policy for audit trails and this one one that I haven't quie been able to nail down.

Any help would be appreciated.
0
Comment
Question by:ValleyENT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 56

Expert Comment

by:Bill Prew
ID: 34108740
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 34121225
What I did previously was create a scheduled task on each server, which references this script.

What it does it run regularly to check the size of the log. When it reaches a "maxium" size, it then copies the logfile on the share, which is named the "Servername_EventLogType_Date.evt" and clears out the original Log (so the size is back down again).
Dim objShell: Set objShell=CreateObject("Wscript.Shell")

set shell = WScript.CreateObject( "WScript.Shell" )

'Set Date format for file save
'--------------------------
If Month(Date) < 10 Then
  currDate="0" & Month(Date)
Else
  currDate= Month(Date)
End If
If Day(Date) <10 Then
  currDate = currDate & "0" & Day(Date)& Year(Date)
Else
  currDate = currDate & Day(Date) & Year(Date)
End If
'--------------------------


'objShell.Popup "1", 1

'grab server name
computername = shell.ExpandEnvironmentStrings("%COMPUTERNAME%")
 
'create folder if does not exist
'--------------------------
dim newFolder
Set objFSO = CreateObject("Scripting.FileSystemObject")
If  Not objFSO.FolderExists("\\ServerShare\ArchivedLogs\" & computername & "\") Then
   newfolder = objFSO.CreateFolder ("\\ServerShare\ArchivedLogs\" & computername & "\")
End If
'--------------------------


strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & strComputer & "\root\cimv2")
 
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile")
'objShell.Popup "2", 1
For Each objLogfile in colLogFiles
    'objShell.Popup "3!", 1
    If objLogFile.FileSize > 82837504 Then
	'objShell.Popup "4!", 1
       	strBackupLog = objLogFile.BackupEventLog("\\ServerShare\ArchivedLogs\" & computername & "\" & computername & "_" & objLogFile.LogFileName & "_" & currDate & ".evt")
       	objLogFile.ClearEventLog()
    End If
Next

Open in new window

0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 34121278
Also take a look at an old question I posted, on how to create the Scheduled Tasks remotely on all servers...

http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Batch/Q_24155714.html
0
 
LVL 4

Author Closing Comment

by:ValleyENT
ID: 34142015
Worked perfectly. Thank you.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question