Windows 2003 Server EventLog Archive Script

Use the following two scripts configure EventLog Archiving on Windows Servers. This should work on Windows 2008, but not tested and there is different methods for Windows 2008
First Script Eventlog_Archieve.vbs is the core script which will compress all the eventlog data to .zip files.

Second Script Rollout.cmd will copy this script and configure it on a list of servers.

EVENTLOG_ARCHIEVE.VBS

wscript.Timeout = 1500

 

'***********Application Logs*********************

strComputer = "."

 

' Define the Logs archieving path

Logpath = "D:\EventLogs\Application\"

'Define the number of days, log file need to be retained for.

num_days = 1825

 

Set objWMIService = GetObject("winmgmts:" _

& "{impersonationLevel=impersonate, (Backup, Security)}!\\" _

& strComputer & "\root\cimv2")

 

Set colLogFiles = objWMIService.ExecQuery _

("Select * from Win32_NTEventLogFile where LogfileName='Application'")

 

For Each objLogfile in colLogFiles

 

strBackupLog = objLogFile.BackupEventLog _

(logpath & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "_" & objLogFile.LogFileName & ".evt")

objLogFile.ClearEventLog()

 

Next

 

'***********************************************************

'ZIP Log file

'**********************************************************

 

Set objShell = CreateObject("WScript.Shell")

 

comstr= "D:\EventLogs\pkzip25.exe -add" & " " &Logpath  & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "-Application.zip" & " " & Logpath & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "_Application"  & ".evt"

'wscript.echo comstr

objshell.exec  comstr

 

wscript.sleep 60000

'**************************************

'Delete *.evt file

'***************************************

Set FSO = CreateObject("Scripting.FileSystemObject")

Set objFSO = CreateObject("Scripting.FileSystemObject")

objFSO.DeleteFile(Logpath & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "_Application"  & ".evt")

 

'***********************************************************************************************

' Delete Files older than 90 Days

'************************************************************************************************

strComputer = "."

 

'Wscript.Echo folder_path & "Days:" & objArgs(1)

Dim arrHeadersapp(35)

Set objFSO = CreateObject("Scripting.FileSystemObject")

 

Set objShell = CreateObject("Shell.Application")

Set objFolder = objShell.Namespace(logpath)

For i = 0 to 34

arrHeadersapp(i) = objFolder.GetDetailsOf(objFolder.Items, i)

Next

For Each strFileName in objFolder.Items

 

date_file = arrHeadersapp(3)

Format_changed = objFolder.GetDetailsOf(strFileName, 3)

date_diff = datediff("d", Format_changed, date)

if date_diff > int(num_days) then

'Wscript.Echo   "File is" & date_diff & "   " &  mypath & "\" & objFolder.GetDetailsOf(strFileName, 0) & arrHeadersapp(3) & ":    " &  objFolder.GetDetailsOf(strFileName, 3)

objFSO.DeleteFile(logpath & objFolder.GetDetailsOf(strFileName, 0))

end if

 

Next

 

 

wscript.sleep 30000

 

 

'********************Security***********************

 

strComputer = "."

 

' Define the Logs archieving path

Logpath = "D:\EventLogs\Security\"

'Define the number of days, log file need to be retained for.

num_days = 1825

 

Set objWMIService = GetObject("winmgmts:" _

& "{impersonationLevel=impersonate, (Backup, Security)}!\\" _

& strComputer & "\root\cimv2")

 

Set colLogFiles = objWMIService.ExecQuery _

("Select * from Win32_NTEventLogFile where LogfileName='Security'")

 

For Each objLogfile in colLogFiles

 

strBackupLog = objLogFile.BackupEventLog _

(logpath & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "_" & objLogFile.LogFileName & ".evt")

objLogFile.ClearEventLog()

 

Next

 

'***********************************************************

'ZIP Log file

'**********************************************************

 

Set objShell = CreateObject("WScript.Shell")

 

comstr= "D:\EventLogs\pkzip25.exe -add" & " " &Logpath  & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "-Security.zip" & " " & Logpath & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "_Security"  & ".evt"

'wscript.echo comstr

objshell.exec  comstr

wscript.sleep 60000

'**************************************

'Delete *.evt file

'***************************************

Set FSO = CreateObject("Scripting.FileSystemObject")

Set objFSO = CreateObject("Scripting.FileSystemObject")

objFSO.DeleteFile(Logpath & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "_Security"  & ".evt")

 

'***********************************************************************************************

' Delete Files older than 90 Days

'************************************************************************************************

strComputer = "."

 

'Wscript.Echo folder_path & "Days:" & objArgs(1)

Dim arrHeaderssys(35)

Set objFSO = CreateObject("Scripting.FileSystemObject")

 

Set objShell = CreateObject("Shell.Application")

Set objFolder = objShell.Namespace(logpath)

For i = 0 to 34

arrHeaderssys(i) = objFolder.GetDetailsOf(objFolder.Items, i)

Next

For Each strFileName in objFolder.Items

 

date_file = arrHeaderssys(3)

Format_changed = objFolder.GetDetailsOf(strFileName, 3)

date_diff = datediff("d", Format_changed, date)

if date_diff > int(num_days) then

'Wscript.Echo   "File is" & date_diff & "   " &  mypath & "\" & objFolder.GetDetailsOf(strFileName, 0) & arrHeaderssys(3) & ":    " &  objFolder.GetDetailsOf(strFileName, 3)

objFSO.DeleteFile(logpath & objFolder.GetDetailsOf(strFileName, 0))

end if

 

Next

 

wscript.sleep 30000

'*******END security***********************

 

'*******************Start System***************************

 

strComputer = "."

 

' Define the Logs archieving path

Logpath = "D:\EventLogs\System\"

'Define the number of days, log file need to be retained for.

num_days = 1825

 

Set objWMIService = GetObject("winmgmts:" _

& "{impersonationLevel=impersonate, (Backup, Security)}!\\" _

& strComputer & "\root\cimv2")

 

Set colLogFiles = objWMIService.ExecQuery _

("Select * from Win32_NTEventLogFile where LogfileName='System'")

 

For Each objLogfile in colLogFiles

 

strBackupLog = objLogFile.BackupEventLog _

(logpath & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "_" & objLogFile.LogFileName & ".evt")

objLogFile.ClearEventLog()

 

Next

 

'***********************************************************

'ZIP Log file

'**********************************************************

 

Set objShell = CreateObject("WScript.Shell")

 

comstr= "D:\EventLogs\pkzip25.exe -add" & " " &Logpath  & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "-System.zip" & " " & Logpath & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "_System"  & ".evt"

'wscript.echo comstr

objshell.exec  comstr

wscript.sleep 60000

'**************************************

'Delete *.evt file

'***************************************

Set FSO = CreateObject("Scripting.FileSystemObject")

Set objFSO = CreateObject("Scripting.FileSystemObject")

objFSO.DeleteFile(Logpath & Day(Date) & "-" & Month(date) & "-" & Year(Date) & "_System"  & ".evt")

 

'***********************************************************************************************

' Delete Files older than 90 Days

'************************************************************************************************

strComputer = "."

 

'Wscript.Echo folder_path & "Days:" & objArgs(1)

Dim arrHeaders(35)

Set objFSO = CreateObject("Scripting.FileSystemObject")

 

Set objShell = CreateObject("Shell.Application")

Set objFolder = objShell.Namespace(logpath)

For i = 0 to 34

arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)

Next

For Each strFileName in objFolder.Items

 

date_file = arrHeaders(3)

Format_changed = objFolder.GetDetailsOf(strFileName, 3)

date_diff = datediff("d", Format_changed, date)

if date_diff > int(num_days) then

'Wscript.Echo   "File is" & date_diff & "   " &  mypath & "\" & objFolder.GetDetailsOf(strFileName, 0) & arrHeaders(3) & ":    " &  objFolder.GetDetailsOf(strFileName, 3)

objFSO.DeleteFile(logpath & objFolder.GetDetailsOf(strFileName, 0))

end if

 

Next

 

 
ROLLOUT.CMD
@echo off
CLS
color 1F

SET /p username=" Local Admin username: "
SET /p password=" Local Admin password: "
SET /p serverlist=" Serverlist.txt: "

FOR /F %%a in (%SERVERLIST%) DO CALL :START %%a

:START

SET hostname=%1

NET USE K: /DISCONNECT
NET USE \\%hostname%\IPC$ /USER:%username% %password% /PERSISTENT:NO
NET USE \\%hostname%\ADMIN$ /USER:%username% %password% /PERSISTENT:NO
NET USE K: \\%hostname%\D$ /USER:%username% %password% /PERSISTENT:NO
MD K:\eventlogs
XCOPY *.* \\%hostname%\d$\Eventlogs
AT \\%hostname% 23:00 /every:M,T,W,Th,F "D:\Eventlogs\eventlog_archieve.vbs"
NET USE \\%hostname%\IPC /DELETE

:EXIT

Advertisements