Mr. Roboto

Hoarding Logs

Archive your security logs in one place with this command-line tool.

Ages and ages ago, I wrote a column on Microsoft Audit Collection Server (MACS), a (then) free tool that would consolidate Security event log events into a central SQL Server database, using all kinds of cool security techniques to prevent spoofing, administrator bypassing and other shenanigans. Shortly after the column ran, MACS dropped off the face of the earth. I suspect Microsoft is retooling it to be a commercial product, or maybe part of a commercial product like Microsoft Operations Manager (MOM) or Microsoft System Center or something, but that's pure conjecture. In the meantime, we're still left without many tools to help manage all the event logs from all our servers.

While commercial tools exist (Objective Software's EventMaster or Prism Microsystems' EventTracker, among others), I was really looking for something with a price tag of "free." Maybe not as robust as MACS promised to be, but at least something that could archive my various security logs into a central location for long-term storage.

Windows Management Instrumentation (WMI) provides pretty decent access to Event Logs, so surely there was some scriptable way to do what I wanted -- and there was. The result is ArchiveLogs, a command-line tool written in VBScript that grabs logs from one or more computers, saves them to a standard .EVT file, and then clears the log to make room for new events. You need to be a local Administrator on the targeted computers for this to work.

Run the tool with /? to see all the available options; the most common use will be ArchiveLogs /list:computers.txt /ping /path:C:\Logs. Or something like that; you'll obviously provide a file name of your own that contains computer names (computers.txt in my example), and your own path for the archived logs to be dumped in (C:\Logs in my example). Figure 1 shows a sample run: Notice that I added the /verbose switch to generate more detailed output, and note also that the tool displays an error if it's not able to back up the log (this is generally due to a lack of security permissions, but it can also be the result of a failure to connect to WMI, perhaps because of a local firewall configuration). If the tool can't back up the log, it doesn't try to clear it, thus ensuring you don't lose anything.

You talk too much and you never shut up.
[Click on image for larger view.]
Figure 1. The output from running this month's script with the "verbose" switch.

When it's able to grab a backup, the tool uses the path you specify in the /path argument. Under that path, it creates one sub-folder for each computer you target, and names the event log files based on the current date: YYYYMD (year, month, and day). That'll help you keep everything straight.

The big caveat with this tool is security, security, security: You'll need to have appropriate permissions to back up the log file, and clear it, in order for it to do its job. When in doubt, target it to your local computer first, as a test, and make sure you're a local Administrator. If it works on your local computer, it should work on other computers, provided connectivity exists and permissions are correct.

If you'd like to customize this tool a bit, you can have it grab logs other than the Security event log. Just look for this line, at around line 179 of the file:

Set cLogFiles = oWMIService.Exec Query("Select * from Win32_NTEvent LogFile where LogFileName='Security'")

Changing the log file name from "Security" to "Application" or "System" will back up the appropriate log. Those other logs often have less-strict security requirements too, because they're not considered as sensitive.


Download this month's tool from

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at


comments powered by Disqus

Subscribe on YouTube