Showing posts with label event log archive location. Show all posts
Showing posts with label event log archive location. Show all posts

Saturday 3 June 2017

Automate windows servers event logs archival to network shared folder

Or, How to configure windows event logs archival path to shared folders?
Or, Archiving windows event logs to alternate path or network shared folder?
Or, Automate AD security logs archival in windows server.
Or, Move archived windows logs to network shared folder - can we automate this?

Descriptions: If you repeat it, automate it... this is the theme that works in most of the task automation process. In this article also, we are going to automate a routine task and that is ‘Windows event logs archival’. You can say it like 'archival of archived event logs to network shared shared folder' as well.

Yes, most of the administrators do it manually which is very time consuming and is always at the risk to be missed. If you are reading this article, I know you are one of the lazy administrator like me and want to get rid of this daily/weekly hustle. So let’s start it….

Scenario Details: I have an AD/Active Directory server where I have set auto archival of security event logs. Very often, the C:\ drive of the AD server reach to 90% or even 100% sometime that is really a worry point for me.

IMP Notes:
1 By default archived logs are saved in C:\ drive of windows server at path C:\Windows\System32\winevt\Logs
2. We are going to move archived event logs to network shared folder with the help of PowerShell script
3. Auto archival of event logs are set to archive the security logs if the log file size is reached 1GB.
4. The archived event logs appears like Archive-Security-2017-06-03-xx-yy-zz.evtx

Stage-1: Prepare the PowerShell script

Copy and paste the below PowerShell command in a Notepad file > update parameters as per your environment > save this notepad file as .PS1 file
-------------------------------------------------------------------------------------------------------------------------------
$path = “C:\Windows\System32\winevt\Logs
$extn = “Archive-Security*.evtx
$size = 1GB
$dest = “\\fileserver01\ADlogsArchival
get-ChildItem -path $path -recurse -ErrorAction "SilentlyContinue" -include $Extn |  where-Object {$_.Length -gt $size} | Move-Item -Destination $dest
---------------------------------------------------------------------------------------------------------------------------------
IMP Note:  Replace required path and size details with the one applicable for your environment.

Stage-2: Schedule this PowerShell script in windows task scheduler

Create a task in windows task scheduler > in Action tab fill in the details like this...

Program/script: PowerShell.exe
Add arguments (optional): -ExecutionPolicy Bypass C:\DoNotDelete\pscript\LogArchival.ps1

Note: replace the script path with the one applicable for your environment.






















That’s it guys, archival of archived logs will take place automatically on scheduled time defined by you in the task scheduler. You can enjoy your coffee now onward and the script will take care of your task...

Cheers, please write me back if you have any query or feedback on this.