Here’s a nifty script you can use to back up and clear the Event logs on your servers.
Managing Event logs is an essential part of a system administrator’s job. These logs are useful for a number of purposes, including troubleshooting system problems, verifying that services are functioning properly, and detecting possible intrusion attempts. While you can use the Event Viewer to save and clear these logs, it would be handy to have a script that would back up your Windows Event Logs and then clear the information contained within them.
This hack provides a script to do just that. You can run it manually (by double-clicking on a desktop shortcut) or automatically at different times (by adding a task to the Scheduled Tasks folder).
Type the following script into Notepad (make sure you have Word Wrap disabled), and save it as archivelogs.vbs:
Option Explicit
On Error Resume Next
Dim numThreshold
Dim strMachine
Dim strArchivePath
Dim strMoniker
Dim refWMI
Dim colEventLogs
Dim refEventLog
If WScript.Arguments.Count < 2 Then
WScript.Echo _
"Usage: archivelogs.vbs <machine> <archive_path> [threshold]"
WScript.Quit
End If
If WScript.Arguments.Count = 2 Then
numThreshold = 0
Else
numThreshold = WScript.Arguments(2)
If Not IsNumeric(numThreshold) Then
WScript.Echo "The third parameter must be a number!"
WScript.Quit
End If
If numThreshold < 0 OR numThreshold > 100 Then
WScript.Echo "The third parameter must be in the range 0-100"
WScript.Quit
End If
End If
strMachine = WScript.Arguments(0)
strArchivePath = WScript.Arguments(1)
strMoniker = "winMgmts:{(Backup,Security)}!\\" & strMachine
Set refWMI = GetObject(strMoniker)
If Err <> 0 Then
WScript.Echo "Could not connect to the WMI service."
WScript.Quit
End If
Set colEventLogs = refWMI.InstancesOf("Win32_NTEventLogFile")
If Err <> 0 Then
WScript.Echo "Could not retrieve Event Log objects"
WScript.Quit
End If
For Each refEventLog In colEventLogs
'if shouldAct( ) returns non-zero attempt to back up
If shouldAct(refEventLog.FileSize,refEventLog.MaxFileSize) <> 0 Then
If refEventLog.ClearEventLog( _
makeFileName(refEventLog.LogfileName)) = 0 Then
WScript.Echo refEventLog.LogfileName & _
" archived successfully"
Else
WScript.Echo refEventLog.LogfileName & _
" could not be archived"
End If
Else
WScript.Echo refEventLog.LogfileName & _
" has not exceeded the backup level"
End If
Next
Set refEventLog = Nothing
Set colEventLogs = Nothing
Set refWMI = Nothing
Function shouldAct(numCurSize, numMaxSize)
If (numCurSize/numMaxSize)*100 > numThreshold Then
shouldAct = 1
Else
shouldAct = 0
End If
End Function
Function makeFileName(strLogname)
makeFileName = strArchivePath & "\" & _
strMachine & "-" & strLogname & "-" & _
Year(Now) & Month(Now) & Day(Now) & ".evt"
End FunctionTo run the script, use Cscript.exe, the command-line script engine of the Windows Script Host (WSH). The script uses the following command-line syntax:
archivelogs.vbs machine archive_path [threshold]
where machine is the name of the server and archive_path is the path to where you want to save the backup. threshold is an optional parameter that checks the size (in MB) of the logs: if the logs are above the threshold value you specify, the script will back them up; otherwise, it will skip them.
The following example shows how to run the script and provides typical output when the script is executed against a domain controller (the archive directory C:\Log Files must first be created on the machine on which you run the script):
C:>cscript.exe archivelogs.vbs srv210 "C:\Log Archive"
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Security archived successfully
System archived successfully
Directory Service archived successfully
DNS Server archived successfully
File Replication Service archived successfully
Application archived successfully
C:>The result of running the script is a set of files in C:\Log Files of the form srv210-Application-20031217.evt, srv210-Security-20031217.evt, and so on. Note that each archive file is named according to the server, event log, and current date.
If you plan on using the Backup utility instead to back up the Event log files on your Windows 2000 servers, it might surprise you to know that being part of the Backup Operators group will not allow you to back up or restore these Event log files; this right is available to only local or domain administrators!
Rod Trent