Recipe 8.11. Archiving an Event LogProblemYou want to archive your event logs so you can retrieve them later if necessary. SolutionUsing a graphical user interface
Using a command-line interfaceUsing the wmic utility, you can call the BackupEventLog method that is available with the Win32_NTEventlogfile class: > wmic /node:"<ServerName>" nteventlog where "Logfilename = '<LogName>'" Call BackupEventLog "<FilePath>" Here is an example of backing up the Application event log: > wmic /node:"fs01" nteventlog where "Logfilename = 'Application'" Call BackupEventLog "E:\app_back.evt" Using VBScript' This code archives an event log to the specified file. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>" ' e.g., Application strBackupFile = "<FileNameAndPath>" ' e.g., c:\app_back.evt strServer = "<ServerName>" ' e.g., fs01 (use "." for local server) ' ------ END CONFIGURATION --------- set objWMI = GetObject(_ "winmgmts:{impersonationLevel=impersonate,(Backup)}!\\" & _ strServer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _ " Logfilename = '" & strLog & "'") if colLogs.Count <> 1 then WScript.Echo "Fatal error. Number of logs found: " & colLogs.Count WScript.Quit end if for each objLog in colLogs objLog.BackupEventLog strBackupFile WScript.Echo strLog & " backed up to " & strBackupFile next DiscussionYou should consider archiving the event logs at least on your most important servers. If nothing else, archive your Security logs so that you can retrieve them if you need to go back and look for suspicious activity. Instead of backing up the log files on the local server, you can also specify a UNC path to a remote file server. If the event logs are using a lot of disk space, you might want to create a simple batch script to archive the event logs and then clear them (see Recipe 8.7). If you are backing up your whole server using a tool like NTBackup, you probably don't need to archive the event logs individually. |