Kenneth Platt
asked on
Export Security Log Files to a network share
how do I set up exporting security log files from domain controllers to a network shared folder?
Can this be set up to export and save only log on and log off failed and successful events?
Can this be set up to export and save only log on and log off failed and successful events?
Hello Kenneth:
There is nearly hidden feature of the Event Viewer by Microsoft is the ability to auto-archive the logs to a Path.
First you have to enable autoarchiving by accessing the properties of the security log,
You also have settings within Group Policy, which give you even more control over the security log and how it is archived
please check too the following link
https://blogs.manageengine.com/active-directory/2015/03/20/autoarchiving-security-logs-in-event-viewer.html
There is nearly hidden feature of the Event Viewer by Microsoft is the ability to auto-archive the logs to a Path.
First you have to enable autoarchiving by accessing the properties of the security log,
You also have settings within Group Policy, which give you even more control over the security log and how it is archived
please check too the following link
https://blogs.manageengine.com/active-directory/2015/03/20/autoarchiving-security-logs-in-event-viewer.html
ASKER
This was helpful for a one time export. What I need is to have the security log files continuously get exported to a network share and ensure none of the security log files are lost. I do not really use power shell enough to figure out what would work for me in the links you sent. Perhaps I could get another response please?
Thank you
Thank you
Then the only option you can archieve using the GPO in central location
Computer Configuration\Policies\Adm inistrativ e Templates\Windows Components\Event Log Service\Security
Computer Configuration\Policies\Adm
ASKER
This looks like it might be the solution I need. I will need some time to check it out
Thank you
Thank you
Take your time and keep update, If you need more details...
ASKER
I will look into it more, thank you. Tomorrow is when I need to work more on this. Again Thank you
ASKER
I tried using https://blogs.manageengine.com/active-directory/2015/03/20/autoarchiving-security-logs-in-event-viewer.html and Then the only option you can archive using the GPO in central location
Computer Configuration\Policies\Adm inistrativ e Templates\Windows Components\Event Log Service\Security but I am not getting any security log entries / events copied to moved over to the network share I set up
Any insight or other suggestions?
Computer Configuration\Policies\Adm
Any insight or other suggestions?
Buy change auditor tool from quest. There are no free tools for your requirement.
ASKER
This kind of answer more or less makes me think Experts Exchange may not be worth it
I don't want to waste your time in giving you answer, which won't work. I told you the solution which works. Rest you are free to decide.
ASKER
I am cancelling this for now
Solution is given already. User looking for free solution, which is not available.
ASKER
I guess we can agree to disagree. You feel a solution has been given. I do not. It's simple. Let the question be deleted sir.
ASKER
No thanks
I reckon the fundamental issue with any free scripting approach is that you would have to poll the event log for new entries (having noted a timestamp or unique ID like the EventRecordID somewhere) on a regular timeframe short enough to make sure you catch all records.
On the other hand it remained unresolved why the approach you took with setting up autoarchiving in combnination with a GPO for using a network path does not work. Some research reveals that this seems to be intentional, see e.g. https://serverfault.com/questions/606051/event-logs-saved-on-network-share. And I agree arvchiving on network share as primary location is calling for issues, so I can follow what is being said there.
So you should either use a local path, then move archives e.g. with a scheduled task as often as sensible; or use a central log server as suggested in the serverfault link.
On the other hand it remained unresolved why the approach you took with setting up autoarchiving in combnination with a GPO for using a network path does not work. Some research reveals that this seems to be intentional, see e.g. https://serverfault.com/questions/606051/event-logs-saved-on-network-share. And I agree arvchiving on network share as primary location is calling for issues, so I can follow what is being said there.
So you should either use a local path, then move archives e.g. with a scheduled task as often as sensible; or use a central log server as suggested in the serverfault link.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
If you want to schedule or setup mail the same in regular basis then you can use the powershell to configure the same
https://gallery.technet.microsoft.com/scriptcenter/Export-Windows-event-log-ecdfadfc
https://gallery.technet.microsoft.com/scriptcenter/Export-EventLog-18a87c2c