?
Solved

Event Logs (Application, System, Security event logs) script for Windows Server 2008 R2

Posted on 2013-06-18
9
Medium Priority
?
4,096 Views
Last Modified: 2013-08-15
I need a good event log script that will work on my new servers (Windows server 2008 r2). The event log script I used for my old Windows Server 2003 does not work properly on Windows Server 2008 r2. Just need to automatically save and clear the server event logs (application, system and security) to a specific location monthly.
0
Comment
Question by:jslaught
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 16

Expert Comment

by:gurutc
ID: 39258912
You can also use Sysinternals psloglist in a task.  I use it to catch my rapidly turning over Security Log events every 5 minutes:

d:
cd \locks

psloglist /accepteula \\dc1,dc2 -i 4767,4771,1625,4772,4724,4740 security -s -m 10 >testdc1.txt
psloglist /accepteula \\dc1,dc2 -i 4298 application -s -m 18 >>testdc1.txt

Set CURRDATE=CURRDATE.TMP
Set CURRTIME=CURRTIME.TMP

DATE /T > %CURRDATE%
TIME /T > %CURRTIME%

Set PARSEARG="eol=; tokens=1,2,3,4* delims=/, "
For /F %PARSEARG% %%i in (%CURRDATE%) Do SET YYYYMMDD=%%l%%k%%j

Set PARSEARG="eol=; tokens=1,2,3* delims=:, "
For /F %PARSEARG% %%i in (%CURRTIME%) Do Set HHMM=%%i%%j%%k

rem Echo RENAME %1 %1_%YYYYMMDD%%HHMM%
RENAME testdc1.txt  %YYYYMMDD%%HHMM%.txt

move d:\locks\*.txt d:\dsdata\locklogs

This works to capture the log data.  I just set the logs to overwrite old events.
- gurutc
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39258944
It seems like most people don't know about this feature, but Windows will rotate the log files automatically if so-configured. Look for "AutoBackupLogFiles" in this file.

You can configure this on a server-for-server basis, but that's tedious for a large number of servers. I created an Administrative Template to set this on server computers, and then scripted a startup script to add a scheduled task to periodically pick up, ZIP, and move the log files to a retention location. It worked really well, and was cheap!

http://mx02.wellbury.com/misc/EventLogPolicy.adm

for more help take a look

http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 16

Expert Comment

by:gurutc
ID: 39259124
Good post, but our log files turn over so fast that we only grab the events we care about.  Psloglist will hit all our DCs from one DC.  Not saying the autobackuplogfiles isn't a good idea, but we'd use gigs of space per day at the rate our logs fill.

- gurutc
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 400 total points
ID: 39266673
Windows 2008 R2 has a built in command WEVTUTIL.EXE for this.
Make a windows scheduled task that runs the 1st of every month using WEVTUTIL.EXE

command syntax for clearing a log:
wevtutil cl <LogName> [/bu: <backup_file_name>]

If you wanted to clear and save the application log, system and security logs:

wevtutil.exe cl Application /bu:C:\logs\applog.evtx
wevtutil.exe cl System /bu:C:\logs\syslog.evtx
wevtutil.exe cl Security /bu:C:\logs\seclog.evtx

Schedule the 3-line batch script to run once per month.
0
 

Author Comment

by:jslaught
ID: 39267132
WEVTUTIL.EXE works great in a command prompt. Tried to run the 3-lines in a .bat file manually before putting them in and nothing happens? What am I doing wrong?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39267163
I'm not sure. I put the 3 lines in "test.bat" then double-clicked on it.  It worked fine for me.
Put a PAUSE statement at the end of the 3 lines so you can see what it did or didn't do.
0
 

Author Comment

by:jslaught
ID: 39287102
I'm getting an "access denied" error message when running the .bat with a PAUSE statement. Trying to troubleshoot it when I have a chance unless you have suggestions.
0
 

Author Closing Comment

by:jslaught
ID: 39412968
Was able to make the suggestion from the expert work finally. I had to run the wevtutil.exe commands as an admin to make it work via a .bat file through the command line and through task scheduler. I even researched and found out how to append the current date to the wevtutil.exe command:

example:

wevtutil.exe cl application /bu:\\c:\temp\application_%Date:~4,2%-Date:~7,2%.evtx

Thanks for the assistance!
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question