Solved

Event Logs (Application, System, Security event logs) script for Windows Server 2008 R2

Posted on 2013-06-18
9
3,923 Views
Last Modified: 2013-08-15
I need a good event log script that will work on my new servers (Windows server 2008 r2). The event log script I used for my old Windows Server 2003 does not work properly on Windows Server 2008 r2. Just need to automatically save and clear the server event logs (application, system and security) to a specific location monthly.
0
Comment
Question by:jslaught
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 5

Expert Comment

by:AbhishekJha
ID: 39258750
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39258912
You can also use Sysinternals psloglist in a task.  I use it to catch my rapidly turning over Security Log events every 5 minutes:

d:
cd \locks

psloglist /accepteula \\dc1,dc2 -i 4767,4771,1625,4772,4724,4740 security -s -m 10 >testdc1.txt
psloglist /accepteula \\dc1,dc2 -i 4298 application -s -m 18 >>testdc1.txt

Set CURRDATE=CURRDATE.TMP
Set CURRTIME=CURRTIME.TMP

DATE /T > %CURRDATE%
TIME /T > %CURRTIME%

Set PARSEARG="eol=; tokens=1,2,3,4* delims=/, "
For /F %PARSEARG% %%i in (%CURRDATE%) Do SET YYYYMMDD=%%l%%k%%j

Set PARSEARG="eol=; tokens=1,2,3* delims=:, "
For /F %PARSEARG% %%i in (%CURRTIME%) Do Set HHMM=%%i%%j%%k

rem Echo RENAME %1 %1_%YYYYMMDD%%HHMM%
RENAME testdc1.txt  %YYYYMMDD%%HHMM%.txt

move d:\locks\*.txt d:\dsdata\locklogs

This works to capture the log data.  I just set the logs to overwrite old events.
- gurutc
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39258944
It seems like most people don't know about this feature, but Windows will rotate the log files automatically if so-configured. Look for "AutoBackupLogFiles" in this file.

You can configure this on a server-for-server basis, but that's tedious for a large number of servers. I created an Administrative Template to set this on server computers, and then scripted a startup script to add a scheduled task to periodically pick up, ZIP, and move the log files to a retention location. It worked really well, and was cheap!

http://mx02.wellbury.com/misc/EventLogPolicy.adm

for more help take a look

http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 16

Expert Comment

by:gurutc
ID: 39259124
Good post, but our log files turn over so fast that we only grab the events we care about.  Psloglist will hit all our DCs from one DC.  Not saying the autobackuplogfiles isn't a good idea, but we'd use gigs of space per day at the rate our logs fill.

- gurutc
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 100 total points
ID: 39266673
Windows 2008 R2 has a built in command WEVTUTIL.EXE for this.
Make a windows scheduled task that runs the 1st of every month using WEVTUTIL.EXE

command syntax for clearing a log:
wevtutil cl <LogName> [/bu: <backup_file_name>]

If you wanted to clear and save the application log, system and security logs:

wevtutil.exe cl Application /bu:C:\logs\applog.evtx
wevtutil.exe cl System /bu:C:\logs\syslog.evtx
wevtutil.exe cl Security /bu:C:\logs\seclog.evtx

Schedule the 3-line batch script to run once per month.
0
 

Author Comment

by:jslaught
ID: 39267132
WEVTUTIL.EXE works great in a command prompt. Tried to run the 3-lines in a .bat file manually before putting them in and nothing happens? What am I doing wrong?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39267163
I'm not sure. I put the 3 lines in "test.bat" then double-clicked on it.  It worked fine for me.
Put a PAUSE statement at the end of the 3 lines so you can see what it did or didn't do.
0
 

Author Comment

by:jslaught
ID: 39287102
I'm getting an "access denied" error message when running the .bat with a PAUSE statement. Trying to troubleshoot it when I have a chance unless you have suggestions.
0
 

Author Closing Comment

by:jslaught
ID: 39412968
Was able to make the suggestion from the expert work finally. I had to run the wevtutil.exe commands as an admin to make it work via a .bat file through the command line and through task scheduler. I even researched and found out how to append the current date to the wevtutil.exe command:

example:

wevtutil.exe cl application /bu:\\c:\temp\application_%Date:~4,2%-Date:~7,2%.evtx

Thanks for the assistance!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question