Hack 96 Back Up and Clear the Event Logs

figs/moderate.gif figs/hack96.gif

Here's a nifty script you can use to back up and clear the Event logs on your servers.

Managing Event logs is an essential part of a system administrator's job. These logs are useful for a number of reasons, including troubleshooting system problems, verifying that services are functioning properly, and detecting possible intrusion attempts. While Event Viewer can be used to save and clear these logs, it can be handier to use a script you can run manually (by double-clicking on a desktop shortcut) or automatically at different times (by adding a task to the Scheduled Tasks folder).

This hack provides a script to do just that. This VBScript will back up your Windows Event Logs and then clear the information contained within them.

The Code

Type the following script into Notepad (make sure to have Word Wrap disabled), and save it with a .vbs extension as archivelogs.vbs:

Option Explicit

On Error Resume Next

Dim numThreshold

Dim strMachine

Dim strArchivePath

Dim strMoniker

Dim refWMI

Dim colEventLogs

Dim refEventLog

If WScript.Arguments.Count < 2 Then

WScript.Echo _

"Usage: archivelogs.vbs <machine> <archive_path> [threshold]"


End If

If WScript.Arguments.Count = 2 Then

numThreshold = 0


numThreshold = WScript.Arguments(2)

If Not IsNumeric(numThreshold) Then

WScript.Echo "The third parameter must be a number!"


End If

If numThreshold < 0 OR numThreshold > 100 Then

WScript.Echo "The third parameter must be in the range 0-100"


End If

End If

strMachine = WScript.Arguments(0)

strArchivePath = WScript.Arguments(1)

strMoniker = "winMgmts:{(Backup,Security)}!\\" & strMachine

Set refWMI = GetObject(strMoniker)

If Err <> 0 Then

WScript.Echo "Could not connect to the WMI service."


End If

Set colEventLogs = refWMI.InstancesOf("Win32_NTEventLogFile")

If Err <> 0 Then

WScript.Echo "Could not retrieve Event Log objects"


End If

For Each refEventLog In colEventLogs

'if shouldAct( ) returns non-zero attempt to back up

If shouldAct(refEventLog.FileSize,refEventLog.MaxFileSize) <> 0 Then

If refEventLog.ClearEventLog( _

makeFileName(refEventLog.LogfileName)) = 0 Then

WScript.Echo refEventLog.LogfileName & _

" archived successfully"


WScript.Echo refEventLog.LogfileName & _

" could not be archived"

End If


WScript.Echo refEventLog.LogfileName & _

" has not exceeded the backup level"

End If


Set refEventLog = Nothing

Set colEventLogs = Nothing

Set refWMI = Nothing

Function shouldAct(numCurSize, numMaxSize)

If (numCurSize/numMaxSize)*100 > numThreshold Then

shouldAct = 1


shouldAct = 0

End If

End Function

Function makeFileName(strLogname)

makeFileName = strArchivePath & "\" & _

strMachine & "-" & strLogname & "-" & _

Year(Now) & Month(Now) & Day(Now) & ".evt"

End Function

Running the Hack

To run the script, use Cscript.exe, the command-line script engine of the Windows Script Host (WSH). The script uses the following command-line syntax:

archivelogs.vbs machine archive_path [threshold]

In this syntax, machine is the name of the server, archive_path is the path to where you want to save the backup, and threshold is an optional parameter that checks to see the size (in MB) of the logs.

If the logs are above the threshold value you specify, the script will back them up. Otherwise, it will skip them.

The following example shows how to run the script and provides typical output when the script is executed against a domain controller. The archive directory C:\Log Files must first be created on the machine on which you run the script.

C:\>cscript.exe archivelogs.vbs srv210 "C:\Log Archive"

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Security archived successfully

System archived successfully

Directory Service archived successfully

DNS Server archived successfully

File Replication Service archived successfully

Application archived successfully


The result of running the script is a set of files in C:\Log Files of the form srv210-Application-20031217.evt, srv210-Security-20031217.evt, and so on. Note that each archive file is named according to the server, event log, and current date.

If you plan on using the Backup utility instead to back up the Event log files on your Windows 2000 servers, it might surprise you to know that being part of the Backup Operators group will not allow you to back up or restore these Event log files; this right is available to only local or domain administrators!

?Rod Trent