Mr. Roboto

Hoarding Logs

Archive your security logs in one place with this command-line tool.

Ages and ages ago, I wrote a column on Microsoft Audit Collection Server (MACS), a (then) free tool that would consolidate Security event log events into a central SQL Server database, using all kinds of cool security techniques to prevent spoofing, administrator bypassing and other shenanigans. Shortly after the column ran, MACS dropped off the face of the earth. I suspect Microsoft is retooling it to be a commercial product, or maybe part of a commercial product like Microsoft Operations Manager (MOM) or Microsoft System Center or something, but that's pure conjecture. In the meantime, we're still left without many tools to help manage all the event logs from all our servers.

While commercial tools exist (Objective Software's EventMaster or Prism Microsystems' EventTracker, among others), I was really looking for something with a price tag of "free." Maybe not as robust as MACS promised to be, but at least something that could archive my various security logs into a central location for long-term storage.

Windows Management Instrumentation (WMI) provides pretty decent access to Event Logs, so surely there was some scriptable way to do what I wanted -- and there was. The result is ArchiveLogs, a command-line tool written in VBScript that grabs logs from one or more computers, saves them to a standard .EVT file, and then clears the log to make room for new events. You need to be a local Administrator on the targeted computers for this to work.

Run the tool with /? to see all the available options; the most common use will be ArchiveLogs /list:computers.txt /ping /path:C:\Logs. Or something like that; you'll obviously provide a file name of your own that contains computer names (computers.txt in my example), and your own path for the archived logs to be dumped in (C:\Logs in my example). Figure 1 shows a sample run: Notice that I added the /verbose switch to generate more detailed output, and note also that the tool displays an error if it's not able to back up the log (this is generally due to a lack of security permissions, but it can also be the result of a failure to connect to WMI, perhaps because of a local firewall configuration). If the tool can't back up the log, it doesn't try to clear it, thus ensuring you don't lose anything.

You talk too much and you never shut up.
[Click on image for larger view.]
Figure 1. The output from running this month's script with the "verbose" switch.

When it's able to grab a backup, the tool uses the path you specify in the /path argument. Under that path, it creates one sub-folder for each computer you target, and names the event log files based on the current date: YYYYMD (year, month, and day). That'll help you keep everything straight.

The big caveat with this tool is security, security, security: You'll need to have appropriate permissions to back up the log file, and clear it, in order for it to do its job. When in doubt, target it to your local computer first, as a test, and make sure you're a local Administrator. If it works on your local computer, it should work on other computers, provided connectivity exists and permissions are correct.

If you'd like to customize this tool a bit, you can have it grab logs other than the Security event log. Just look for this line, at around line 179 of the file:

Set cLogFiles = oWMIService.Exec Query("Select * from Win32_NTEvent LogFile where LogFileName='Security'")

Changing the log file name from "Security" to "Application" or "System" will back up the appropriate log. Those other logs often have less-strict security requirements too, because they're not considered as sensitive.

DownLoad

Download this month's tool from www.ScriptingAnswers.com/roboto/col5.zip

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Tue, May 22, 2007 Anonymous Anonymous

I am also getting error code 3 for some reason. . .running as domain admin. . .only runs properly on local machine

Mon, Sep 4, 2006 Anonymous Anonymous

I am getting error code 3 for some reason. . .running as domain admin. . .only runs properly on local machine

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.