1. Home
  2. Microsoft Products
  3. Windows Server Hack

Hack 96 Back Up and Clear the Event Logs

figs/moderate.gif figs/hack96.gif

Here's a nifty script you can use to back up and clear the Event logs on your servers.

Managing Event logs is an essential part of a system administrator's job. These logs are useful for a number of reasons, including troubleshooting system problems, verifying that services are functioning properly, and detecting possible intrusion attempts. While Event Viewer can be used to save and clear these logs, it can be handier to use a script you can run manually (by double-clicking on a desktop shortcut) or automatically at different times (by adding a task to the Scheduled Tasks folder).

This hack provides a script to do just that. This VBScript will back up your Windows Event Logs and then clear the information contained within them.

The Code

Type the following script into Notepad (make sure to have Word Wrap disabled), and save it with a .vbs extension as archivelogs.vbs:

Option Explicit

On Error Resume Next

Dim numThreshold

Dim strMachine

Dim strArchivePath

Dim strMoniker

Dim refWMI

Dim colEventLogs

Dim refEventLog



If WScript.Arguments.Count < 2 Then

WScript.Echo _

"Usage: archivelogs.vbs <machine> <archive_path> [threshold]"

WScript.Quit

End If



If WScript.Arguments.Count = 2 Then

numThreshold = 0

Else

numThreshold = WScript.Arguments(2)

If Not IsNumeric(numThreshold) Then

WScript.Echo "The third parameter must be a number!"

WScript.Quit

End If



If numThreshold < 0 OR numThreshold > 100 Then

WScript.Echo "The third parameter must be in the range 0-100"

WScript.Quit

End If

End If



strMachine = WScript.Arguments(0)

strArchivePath = WScript.Arguments(1)



strMoniker = "winMgmts:{(Backup,Security)}!\\" & strMachine

Set refWMI = GetObject(strMoniker)

If Err <> 0 Then

WScript.Echo "Could not connect to the WMI service."

WScript.Quit

End If



Set colEventLogs = refWMI.InstancesOf("Win32_NTEventLogFile")

If Err <> 0 Then

WScript.Echo "Could not retrieve Event Log objects"

WScript.Quit

End If



For Each refEventLog In colEventLogs

'if shouldAct( ) returns non-zero attempt to back up

If shouldAct(refEventLog.FileSize,refEventLog.MaxFileSize) <> 0 Then

If refEventLog.ClearEventLog( _

makeFileName(refEventLog.LogfileName)) = 0 Then

WScript.Echo refEventLog.LogfileName & _

" archived successfully"

Else

WScript.Echo refEventLog.LogfileName & _

" could not be archived"

End If

Else

WScript.Echo refEventLog.LogfileName & _

" has not exceeded the backup level"

End If

Next

Set refEventLog = Nothing

Set colEventLogs = Nothing

Set refWMI = Nothing



Function shouldAct(numCurSize, numMaxSize)

If (numCurSize/numMaxSize)*100 > numThreshold Then

shouldAct = 1

Else

shouldAct = 0

End If

End Function



Function makeFileName(strLogname)

makeFileName = strArchivePath & "\" & _

strMachine & "-" & strLogname & "-" & _

Year(Now) & Month(Now) & Day(Now) & ".evt"

End Function

Running the Hack

To run the script, use Cscript.exe, the command-line script engine of the Windows Script Host (WSH). The script uses the following command-line syntax:

archivelogs.vbs machine archive_path [threshold]

In this syntax, machine is the name of the server, archive_path is the path to where you want to save the backup, and threshold is an optional parameter that checks to see the size (in MB) of the logs.

If the logs are above the threshold value you specify, the script will back them up. Otherwise, it will skip them.


The following example shows how to run the script and provides typical output when the script is executed against a domain controller. The archive directory C:\Log Files must first be created on the machine on which you run the script.

C:\>cscript.exe archivelogs.vbs srv210 "C:\Log Archive"

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.



Security archived successfully

System archived successfully

Directory Service archived successfully

DNS Server archived successfully

File Replication Service archived successfully

Application archived successfully



C:\>

The result of running the script is a set of files in C:\Log Files of the form srv210-Application-20031217.evt, srv210-Security-20031217.evt, and so on. Note that each archive file is named according to the server, event log, and current date.

If you plan on using the Backup utility instead to back up the Event log files on your Windows 2000 servers, it might surprise you to know that being part of the Backup Operators group will not allow you to back up or restore these Event log files; this right is available to only local or domain administrators!

?Rod Trent



    		Windows Server Hacks
    		Credits
    		Foreword: I'm a Sci-Fi freak
    		Preface
    		Chapter 1. General Administration
    		Chapter 2. Active Directory
    		Chapter 3. User Management
    		Chapter 4. Networking Services
    		Chapter 5. File and Print
    		Chapter 6. IIS
    		Chapter 7. Deployment
    		Chapter 8. Security
    		Chapter 9. Patch Management
    		Chapter 10. Backup and Recovery
    		Hacks #90-100
    		Hack 90 Collect Disaster Recovery Files
    		Hack 91 Back Up Individual Files from the Command Line
    		Hack 92 Back Up System State on Remote Machines
    		Hack 93 Back Up and Restore a Certificate Authority
    		Hack 94 Back Up EFS
    		Hack 95 Work with Shadow Copies
    		Hack 96 Back Up and Clear the Event Logs
    		Hack 97 Back Up the DFS Namespace
    		Hack 98 Recover with Automated System Recovery
    		Hack 99 Recovery Roadmap
    		Hack 100 Data Recovery of Last Resort
    		Colophon