Guest inenewbl Posted September 17, 2007 Posted September 17, 2007 Hi all. Currently my company's server has enabled alot of auditing which makes the security log very big. Hence i would like to know if its possible to automate the task copying the content of security log to a separate file before deleting the contents inside the security log. The reason is i would like to automate this task every week so as to reduce the size of security log, as it would be very difficult to find audit events of a particular day in a very huge security log file. If there are better ways of managing the security logs or auditing, please share with me. Thks in advance.
Guest Meinolf Weber Posted September 17, 2007 Posted September 17, 2007 Re: managing auditing logs Hello inenewbl, It is possible, unfortunately i have the script not at home. Can post it tomorrow. It makes a dailey backup to a folder and deletes the security log content automatically. Run's as a scheduled task with a user account that has special rights on all of my servers. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. > Hi all. Currently my company's server has enabled alot of auditing > which makes the security log very big. Hence i would like to know if > its possible to automate the task copying the content of security log > to a separate file before deleting the contents inside the security > log. The reason is i would like to automate this task every week so as > to reduce the size of security log, as it would be very difficult to > find audit events of a particular day in a very huge security log > file. If there are better ways of managing the security logs or > auditing, please share with me. Thks in advance. >
Guest Meinolf Weber Posted September 18, 2007 Posted September 18, 2007 Re: managing auditing logs Hello inenewbl, Copy this in a textfile and save it as .vbs (without the lines) and run it on the machine as a scheduled task. For the output file you have to create a folder on c:\SecurityLog in this case and the useraccount should have modify permission in this folder. ----------------------------------------------------------------------------------------------- ;The user account used for this script must have this rights/privileges ;Generate security audits ;Back up files and directories ;Log on as a batch job ;Manage auditing and security log strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" & Day(Now),2) & "-" strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'") For Each objLogfile in colLogFiles errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate &"security.evt") If errBackupLog <> 0 Then Wscript.Echo "The Security event log could not be backed up." Else objLogFile.ClearEventLog() End If Next ------------------------------------------------------------------------------------------------------- Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. > Hi all. Currently my company's server has enabled alot of auditing > which makes the security log very big. Hence i would like to know if > its possible to automate the task copying the content of security log > to a separate file before deleting the contents inside the security > log. The reason is i would like to automate this task every week so as > to reduce the size of security log, as it would be very difficult to > find audit events of a particular day in a very huge security log > file. If there are better ways of managing the security logs or > auditing, please share with me. Thks in advance. >
Guest inenewbl Posted September 18, 2007 Posted September 18, 2007 Re: managing auditing logs Hi Weber. This is exactly what i need. Thank you very much!! Can i know what are your reference material in learning scripting? "Meinolf Weber" wrote: > Hello inenewbl, > > Copy this in a textfile and save it as .vbs (without the lines) and run it > on the machine as a scheduled task. For the output file you have to create > a folder on c:\SecurityLog in this case and the useraccount should have modify > permission in this folder. > > ----------------------------------------------------------------------------------------------- > > ;The user account used for this script must have this rights/privileges > ;Generate security audits > ;Back up files and directories > ;Log on as a batch job > ;Manage auditing and security log > > strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" & > Day(Now),2) & "-" > strComputer = "." > Set objWMIService = GetObject("winmgmts:" _ > & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _ > strComputer & "\root\cimv2") > Set colLogFiles = objWMIService.ExecQuery _ > ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'") > For Each objLogfile in colLogFiles > errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate &"security.evt") > If errBackupLog <> 0 Then > Wscript.Echo "The Security event log could not be backed up." > Else > objLogFile.ClearEventLog() > End If > Next > ------------------------------------------------------------------------------------------------------- > > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > > > Hi all. Currently my company's server has enabled alot of auditing > > which makes the security log very big. Hence i would like to know if > > its possible to automate the task copying the content of security log > > to a separate file before deleting the contents inside the security > > log. The reason is i would like to automate this task every week so as > > to reduce the size of security log, as it would be very difficult to > > find audit events of a particular day in a very huge security log > > file. If there are better ways of managing the security logs or > > auditing, please share with me. Thks in advance. > > > > >
Guest Meinolf Weber Posted September 18, 2007 Posted September 18, 2007 Re: managing auditing logs Hello inenewbl, This script i found on a website from MS, just modified it for my environment. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. > Hi Weber. > This is exactly what i need. > Thank you very much!! > Can i know what are your reference material in learning scripting? > "Meinolf Weber" wrote: > >> Hello inenewbl, >> >> Copy this in a textfile and save it as .vbs (without the lines) and >> run it on the machine as a scheduled task. For the output file you >> have to create a folder on c:\SecurityLog in this case and the >> useraccount should have modify permission in this folder. >> >> --------------------------------------------------------------------- >> -------------------------- >> >> ;The user account used for this script must have this >> rights/privileges >> ;Generate security audits >> ;Back up files and directories >> ;Log on as a batch job >> ;Manage auditing and security log >> strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & >> Right("0" & >> >> Day(Now),2) & "-" >> >> strComputer = "." >> >> Set objWMIService = GetObject("winmgmts:" _ >> >> & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _ >> >> strComputer & "\root\cimv2") >> >> Set colLogFiles = objWMIService.ExecQuery _ >> >> ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'") >> >> For Each objLogfile in colLogFiles >> >> errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate >> &"security.evt") >> >> If errBackupLog <> 0 Then >> >> Wscript.Echo "The Security event log could not be backed up." >> >> Else >> >> objLogFile.ClearEventLog() >> >> End If >> >> Next >> >> --------------------------------------------------------------------- >> ---------------------------------- >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >>> Hi all. Currently my company's server has enabled alot of auditing >>> which makes the security log very big. Hence i would like to know if >>> its possible to automate the task copying the content of security >>> log to a separate file before deleting the contents inside the >>> security log. The reason is i would like to automate this task every >>> week so as to reduce the size of security log, as it would be very >>> difficult to find audit events of a particular day in a very huge >>> security log file. If there are better ways of managing the security >>> logs or auditing, please share with me. Thks in advance. >>>
Guest Meinolf Weber Posted September 18, 2007 Posted September 18, 2007 Re: managing auditing logs Hello inenewbl, Here i found it: http://www.microsoft.com/technet/scriptcenter/guide/sas_log_pcna.mspx?mfr=true and here is the complete Scripting guide: http://www.microsoft.com/technet/scriptcenter/guide/sagsas_overview.mspx?mfr=true Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. > Hi Weber. > This is exactly what i need. > Thank you very much!! > Can i know what are your reference material in learning scripting? > "Meinolf Weber" wrote: > >> Hello inenewbl, >> >> Copy this in a textfile and save it as .vbs (without the lines) and >> run it on the machine as a scheduled task. For the output file you >> have to create a folder on c:\SecurityLog in this case and the >> useraccount should have modify permission in this folder. >> >> --------------------------------------------------------------------- >> -------------------------- >> >> ;The user account used for this script must have this >> rights/privileges >> ;Generate security audits >> ;Back up files and directories >> ;Log on as a batch job >> ;Manage auditing and security log >> strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & >> Right("0" & >> >> Day(Now),2) & "-" >> >> strComputer = "." >> >> Set objWMIService = GetObject("winmgmts:" _ >> >> & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _ >> >> strComputer & "\root\cimv2") >> >> Set colLogFiles = objWMIService.ExecQuery _ >> >> ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'") >> >> For Each objLogfile in colLogFiles >> >> errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate >> &"security.evt") >> >> If errBackupLog <> 0 Then >> >> Wscript.Echo "The Security event log could not be backed up." >> >> Else >> >> objLogFile.ClearEventLog() >> >> End If >> >> Next >> >> --------------------------------------------------------------------- >> ---------------------------------- >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >>> Hi all. Currently my company's server has enabled alot of auditing >>> which makes the security log very big. Hence i would like to know if >>> its possible to automate the task copying the content of security >>> log to a separate file before deleting the contents inside the >>> security log. The reason is i would like to automate this task every >>> week so as to reduce the size of security log, as it would be very >>> difficult to find audit events of a particular day in a very huge >>> security log file. If there are better ways of managing the security >>> logs or auditing, please share with me. Thks in advance. >>>
Recommended Posts