Microsoft® Windows® 2000 Scripting Guide
« Previous | Next »
Event logs maintain a historical record of important events that occur on a computer. These records should be archived, at least temporarily, to help you carry out tasks such as troubleshooting problems (when did the first instance of X occur?) or capacity planning (how does the number of Ys occurring this month compare with the number of Ys that occurred last month?).
The most efficient way to archive event log records is to routinely back up and then clear these logs. Backing up the logs before clearing them ensures that the records will be available if you ever need them; clearing the event logs keeps those logs to a manageable size. Clearing the event logs also ensures that all events will be recorded. If you do not clear the event log before it reaches its maximum size, it either stops recording any new events or starts overwriting older events, depending on how the log has been configured. As a result, events will either be overwritten, and thus lost, or never recorded in the first place.
Note
Before you clear an event log, it is a good idea to create a backup of that log. WMI provides a method for backing up event logs. However, this method comes with two important stipulations. For one, you must use the proprietary event log binary log format. To archive event logs in plain-text format, you need to create a query to extract the records and then write the extracted information to a text file.
In addition, you must make backups to the local computer; you cannot save a backup of the event logs on Computer A to Computer B. Backups are implemented by using the LocalSystem account, which does not have the network credentials necessary to access remote computers. If you want to save backups to a central repository, modify the script to first perform the backup, and then move the backup file to the central repository.
Event logs must be backed up separately from any other system files. Although a regular system backup can copy the event log files, the copied event log files will be unusable. If you attempt to open an event log file that has been copied or backed up by using any means other than the Event Log Backup Application Programming Interface (API), you receive an error message stating that the event log file is corrupt.
This error message is the result of a unique characteristic of event log files. When a computer starts, the Event service changes several bits in each event log file header. These changed bits indicate that the event log file is open, and they prevent applications, including backup programs, from accessing the event log file. If you copy an event log file by using the Copy command or a standard backup program, the copied event log file includes these changed bits. If you then try to open the copied file, you receive a message that the event log is corrupt.
Despite the changed bits, you can use Event Viewer to work with the event log files, but only because it does not try to open the event log file itself. Instead, Event Viewer uses the Event service and the Event Logging API to open the event log files.
However, this does not completely solve the problem. For better or worse, the Event service and Event Logging API can be used to open only actual event logs; they cannot open archived event log files. Instead, Event Viewer must directly access backup event log files. If the Event Log Backup API did not produce these backup event log files, these backup files will include the changed bits indicating that the file is open. In that case, any attempt to access the file will fail.
When you use the Event Log Backup method, these header bits are changed to indicate that the file is closed, giving Event Viewer access to the data.
There are multiple ways to back up and clear the event logs. For example, you might:
Listing 12.5 contains a script that backs up and then clears the Application event log on a computer. To carry out this task, the script must perform the following steps:
To use the BackupEventLog method, you must include the Backup privilege as part of your connection string. Backup is a user right that must be explicitly assigned and included as part of the GetObject moniker.
To limit data retrieval to the Application event log, include a Where clause specifying Application as the LogFileName. This returns a collection with a single item: the Application event log.
However, if a backup file by that name already exists, the backup attempt will fail. The failure occurs because the BackupEventLog method does not allow you to overwrite an existing backup file or to append additional records to an existing backup file. This is another security measure, one that prevents anyone from modifying archived event logs. Without this provision, an unscrupulous administrator could back up and clear the event logs, open the backup files, and then remove any events he or she wanted to keep secret.
In the script, this method will run only if the backup succeeded; if the BackupEventLog method returns anything other than 0, this means the backup failed. As a result, the message "The application event log could not be backed up" is echoed to the screen, and the event log is not cleared.
Listing 12.5 Backing Up and Clearing an Event Log
|
|
You might want to run the script shown in Listing 12.5 as a scheduled task and thus back up and clear your event log on a regular basis.
If you wanted to, you could schedule the script in Listing 12.5 to run as a scheduled task each morning. The script would thus start up each day and then back up and clear each event log. At the end of the year, you would have 365 archive files for each event log. Although the data would be safely archived, dealing with scores of small event log files can be more complicated than dealing with a single large event log file.
As an alternative approach, you can create a script that backs up and clears an event log only if the log meets specific conditions.
Listing 12.6 contains a script that backs up and clears an event log only if the log is larger than 20 megabytes (approximately 20,000,000 bytes). If the log is smaller than 20 megabytes, the script exits without performing the backup. To carry out this task, the script must perform the following steps:
This returns a collection consisting of all the event logs on the computer, except the Security event log. To return the Security event log, you need to include the Security privilege as part of the WMI moniker. The Security event log is not included in this script simply because the Security event log is often managed separately from the other event logs (and often by a separate administrator).
Listing 12.6 Backing Up and Clearing Event Logs If the Log Meets Specific Conditions
|
|
Send us your feedback | « Previous | Next » |