Solved

Event Viewer Dumping

Posted on 2010-11-10
5
455 Views
Last Modified: 2012-05-10
Hello All,

I'm trying to find a script or some method to dump all Security Events into a shared UNC path to which I run the batch or script file on, then it should automatically clear the logs. I have a few different methods in place to push out scripts and batch files remotely, but we have a new rentention policy for audit trails and this one one that I haven't quie been able to nail down.

Any help would be appreciated.
0
Comment
Question by:ValleyENT
5 Comments
 
LVL 52

Expert Comment

by:Bill Prew
ID: 34108740
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34108913
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 34121225
What I did previously was create a scheduled task on each server, which references this script.

What it does it run regularly to check the size of the log. When it reaches a "maxium" size, it then copies the logfile on the share, which is named the "Servername_EventLogType_Date.evt" and clears out the original Log (so the size is back down again).
Dim objShell: Set objShell=CreateObject("Wscript.Shell")



set shell = WScript.CreateObject( "WScript.Shell" )



'Set Date format for file save

'--------------------------

If Month(Date) < 10 Then

  currDate="0" & Month(Date)

Else

  currDate= Month(Date)

End If

If Day(Date) <10 Then

  currDate = currDate & "0" & Day(Date)& Year(Date)

Else

  currDate = currDate & Day(Date) & Year(Date)

End If

'--------------------------





'objShell.Popup "1", 1



'grab server name

computername = shell.ExpandEnvironmentStrings("%COMPUTERNAME%")

 

'create folder if does not exist

'--------------------------

dim newFolder

Set objFSO = CreateObject("Scripting.FileSystemObject")

If  Not objFSO.FolderExists("\\ServerShare\ArchivedLogs\" & computername & "\") Then

   newfolder = objFSO.CreateFolder ("\\ServerShare\ArchivedLogs\" & computername & "\")

End If

'--------------------------





strComputer = "."

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & strComputer & "\root\cimv2")

 

Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile")

'objShell.Popup "2", 1

For Each objLogfile in colLogFiles

    'objShell.Popup "3!", 1

    If objLogFile.FileSize > 82837504 Then

	'objShell.Popup "4!", 1

       	strBackupLog = objLogFile.BackupEventLog("\\ServerShare\ArchivedLogs\" & computername & "\" & computername & "_" & objLogFile.LogFileName & "_" & currDate & ".evt")

       	objLogFile.ClearEventLog()

    End If

Next

Open in new window

0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 34121278
Also take a look at an old question I posted, on how to create the Scheduled Tasks remotely on all servers...

http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Batch/Q_24155714.html
0
 
LVL 4

Author Closing Comment

by:ValleyENT
ID: 34142015
Worked perfectly. Thank you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Not long ago I saw a question in the VB Script forum that I thought would not take much time. You can read that question (Question ID  (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_28455246.html)28455246) Here (http…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now