ProblemYou want to archive your event logs so you can retrieve them later if necessary. SolutionUsing a graphical user interface
Using a command-line interfaceUsing the wmic utility, you can call the BackupEventLog method that is available with the Win32_NTEventlogfile class: > wmic /node:"<ComputerName>" nteventlog where "Logfilename = '<LogName>'" Call BackupEventLog "<FilePath>" Here is an example of backing up the Application event log: > wmic /node:"fs01" nteventlog where "Logfilename = 'Application'" Call BackupEventLog "E:\app_back.evt" Using VBScript' This code archives an event log to the specified file. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>" ' e.g. Application strBackupFile = "<FileNameAndPath>" ' e.g. c:\app_back.evt strComputer = "<ComputerName>" ' e.g. wks1 (use "." for local system) ' ------ END CONFIGURATION --------- set objWMI = GetObject(_ "winmgmts:{impersonationLevel=impersonate,(Backup)}!\\" & _ strComputer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _ " Logfilename = '" & strLog & "'") if colLogs.Count <> 1 then WScript.Echo "Fatal error. Number of logs found: " & colLogs.Count WScript.Quit end if for each objLog in colLogs objLog.BackupEventLog strBackupFile WScript.Echo strLog & " backed up to " & strBackupFile next DiscussionYou might want to consider archiving your event logs on a periodic basis. If nothing else, archive your Security logs so that you can retrieve them if you need to go back and look for suspicious activity. Instead of backing up the log files on the local system, you can also specify a UNC path to a remote file server. If the event logs are using a lot of disk space, you might even want to create a simple batch script to archive the event logs and then clear them (see Recipe 16.7). If you are backing up your whole workstation, you probably don't need to archive the event logs individually. |