managing auditing logs

[Guest inenewbl]

Hi all. Currently my company's server has enabled alot of auditing which

makes the security log very big. Hence i would like to know if its possible

to automate the task copying the content of security log to a separate file

before deleting the contents inside the security log. The reason is i would

like to automate this task every week so as to reduce the size of security

log, as it would be very difficult to find audit events of a particular day

in a very huge security log file. If there are better ways of managing the

security logs or auditing, please share with me. Thks in advance.

[Guest Meinolf Weber]

Re: managing auditing logs

 

Hello inenewbl,

 

It is possible, unfortunately i have the script not at home. Can post it

tomorrow. It makes a dailey backup to a folder and deletes the security log

content automatically. Run's as a scheduled task with a user account that

has special rights on all of my servers.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

> Hi all. Currently my company's server has enabled alot of auditing

> which makes the security log very big. Hence i would like to know if

> its possible to automate the task copying the content of security log

> to a separate file before deleting the contents inside the security

> log. The reason is i would like to automate this task every week so as

> to reduce the size of security log, as it would be very difficult to

> find audit events of a particular day in a very huge security log

> file. If there are better ways of managing the security logs or

> auditing, please share with me. Thks in advance.

>

[Guest Meinolf Weber]

Re: managing auditing logs

 

Hello inenewbl,

 

Copy this in a textfile and save it as .vbs (without the lines) and run it

on the machine as a scheduled task. For the output file you have to create

a folder on c:\SecurityLog in this case and the useraccount should have modify

permission in this folder.

 

-----------------------------------------------------------------------------------------------

 

;The user account used for this script must have this rights/privileges

;Generate security audits

;Back up files and directories

;Log on as a batch job

;Manage auditing and security log

 

strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" &

Day(Now),2) & "-"

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _

& "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _

strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _

("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")

For Each objLogfile in colLogFiles

errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate &"security.evt")

If errBackupLog <> 0 Then

Wscript.Echo "The Security event log could not be backed up."

Else

objLogFile.ClearEventLog()

End If

Next

-------------------------------------------------------------------------------------------------------

 

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

> Hi all. Currently my company's server has enabled alot of auditing

> which makes the security log very big. Hence i would like to know if

> its possible to automate the task copying the content of security log

> to a separate file before deleting the contents inside the security

> log. The reason is i would like to automate this task every week so as

> to reduce the size of security log, as it would be very difficult to

> find audit events of a particular day in a very huge security log

> file. If there are better ways of managing the security logs or

> auditing, please share with me. Thks in advance.

>

[Guest inenewbl]

Re: managing auditing logs

 

Hi Weber.

This is exactly what i need.

Thank you very much!!

Can i know what are your reference material in learning scripting?

 

"Meinolf Weber" wrote:

> Hello inenewbl,

>

> Copy this in a textfile and save it as .vbs (without the lines) and run it

> on the machine as a scheduled task. For the output file you have to create

> a folder on c:\SecurityLog in this case and the useraccount should have modify

> permission in this folder.

>

> -----------------------------------------------------------------------------------------------

>

> ;The user account used for this script must have this rights/privileges

> ;Generate security audits

> ;Back up files and directories

> ;Log on as a batch job

> ;Manage auditing and security log

>

> strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" &

> Day(Now),2) & "-"

> strComputer = "."

> Set objWMIService = GetObject("winmgmts:" _

> & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _

> strComputer & "\root\cimv2")

> Set colLogFiles = objWMIService.ExecQuery _

> ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")

> For Each objLogfile in colLogFiles

> errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate &"security.evt")

> If errBackupLog <> 0 Then

> Wscript.Echo "The Security event log could not be backed up."

> Else

> objLogFile.ClearEventLog()

> End If

> Next

> -------------------------------------------------------------------------------------------------------

>

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Hi all. Currently my company's server has enabled alot of auditing

> > which makes the security log very big. Hence i would like to know if

> > its possible to automate the task copying the content of security log

> > to a separate file before deleting the contents inside the security

> > log. The reason is i would like to automate this task every week so as

> > to reduce the size of security log, as it would be very difficult to

> > find audit events of a particular day in a very huge security log

> > file. If there are better ways of managing the security logs or

> > auditing, please share with me. Thks in advance.

> >

>

>

>

[Guest Meinolf Weber]

Re: managing auditing logs

 

Hello inenewbl,

 

This script i found on a website from MS, just modified it for my environment.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

> Hi Weber.

> This is exactly what i need.

> Thank you very much!!

> Can i know what are your reference material in learning scripting?

> "Meinolf Weber" wrote:

>

>> Hello inenewbl,

>>

>> Copy this in a textfile and save it as .vbs (without the lines) and

>> run it on the machine as a scheduled task. For the output file you

>> have to create a folder on c:\SecurityLog in this case and the

>> useraccount should have modify permission in this folder.

>>

>> ---------------------------------------------------------------------

>> --------------------------

>>

>> ;The user account used for this script must have this

>> rights/privileges

>> ;Generate security audits

>> ;Back up files and directories

>> ;Log on as a batch job

>> ;Manage auditing and security log

>> strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" &

>> Right("0" &

>>

>> Day(Now),2) & "-"

>>

>> strComputer = "."

>>

>> Set objWMIService = GetObject("winmgmts:" _

>>

>> & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _

>>

>> strComputer & "\root\cimv2")

>>

>> Set colLogFiles = objWMIService.ExecQuery _

>>

>> ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")

>>

>> For Each objLogfile in colLogFiles

>>

>> errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate

>> &"security.evt")

>>

>> If errBackupLog <> 0 Then

>>

>> Wscript.Echo "The Security event log could not be backed up."

>>

>> Else

>>

>> objLogFile.ClearEventLog()

>>

>> End If

>>

>> Next

>>

>> ---------------------------------------------------------------------

>> ----------------------------------

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>>> Hi all. Currently my company's server has enabled alot of auditing

>>> which makes the security log very big. Hence i would like to know if

>>> its possible to automate the task copying the content of security

>>> log to a separate file before deleting the contents inside the

>>> security log. The reason is i would like to automate this task every

>>> week so as to reduce the size of security log, as it would be very

>>> difficult to find audit events of a particular day in a very huge

>>> security log file. If there are better ways of managing the security

>>> logs or auditing, please share with me. Thks in advance.

>>>

[Guest Meinolf Weber]

Re: managing auditing logs

 

Hello inenewbl,

 

Here i found it:

http://www.microsoft.com/technet/scriptcenter/guide/sas_log_pcna.mspx?mfr=true

 

and here is the complete Scripting guide:

http://www.microsoft.com/technet/scriptcenter/guide/sagsas_overview.mspx?mfr=true

 

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

> Hi Weber.

> This is exactly what i need.

> Thank you very much!!

> Can i know what are your reference material in learning scripting?

> "Meinolf Weber" wrote:

>

>> Hello inenewbl,

>>

>> Copy this in a textfile and save it as .vbs (without the lines) and

>> run it on the machine as a scheduled task. For the output file you

>> have to create a folder on c:\SecurityLog in this case and the

>> useraccount should have modify permission in this folder.

>>

>> ---------------------------------------------------------------------

>> --------------------------

>>

>> ;The user account used for this script must have this

>> rights/privileges

>> ;Generate security audits

>> ;Back up files and directories

>> ;Log on as a batch job

>> ;Manage auditing and security log

>> strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" &

>> Right("0" &

>>

>> Day(Now),2) & "-"

>>

>> strComputer = "."

>>

>> Set objWMIService = GetObject("winmgmts:" _

>>

>> & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _

>>

>> strComputer & "\root\cimv2")

>>

>> Set colLogFiles = objWMIService.ExecQuery _

>>

>> ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")

>>

>> For Each objLogfile in colLogFiles

>>

>> errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate

>> &"security.evt")

>>

>> If errBackupLog <> 0 Then

>>

>> Wscript.Echo "The Security event log could not be backed up."

>>

>> Else

>>

>> objLogFile.ClearEventLog()

>>

>> End If

>>

>> Next

>>

>> ---------------------------------------------------------------------

>> ----------------------------------

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>>> Hi all. Currently my company's server has enabled alot of auditing

>>> which makes the security log very big. Hence i would like to know if

>>> its possible to automate the task copying the content of security

>>> log to a separate file before deleting the contents inside the

>>> security log. The reason is i would like to automate this task every

>>> week so as to reduce the size of security log, as it would be very

>>> difficult to find audit events of a particular day in a very huge

>>> security log file. If there are better ways of managing the security

>>> logs or auditing, please share with me. Thks in advance.

>>>