Or, How to configure
windows event logs archival path to shared folders?
Or, Archiving windows
event logs to alternate path or network shared folder?
Or, Automate AD
security logs archival in windows server.
Or, Move archived
windows logs to network shared folder - can we automate this?
Descriptions: If
you repeat it, automate it... this is the theme that works in most of the task
automation process. In this article also, we are going to automate a routine
task and that is ‘Windows event logs archival’. You can say it like 'archival of archived event logs to network shared shared folder' as well.
Yes, most of the administrators do it manually which is very
time consuming and is always at the risk to be missed. If you are reading this article,
I know you are one of the lazy administrator like me and want to get rid of this
daily/weekly hustle. So let’s start it….
Scenario Details: I
have an AD/Active Directory server where I have set auto archival of security
event logs. Very often, the C:\ drive of the AD server reach to 90% or even
100% sometime that is really a worry point for me.
IMP Notes:
1. By default archived logs are saved in C:\ drive of
windows server at path C:\Windows\System32\winevt\Logs
2. We are going to move archived event logs to
network shared folder with the help of PowerShell script
3. Auto archival of event logs are set to archive
the security logs if the log file size is reached 1GB.
4. The archived event logs appears like Archive-Security-2017-06-03-xx-yy-zz.evtx
Stage-1: Prepare the PowerShell
script
Copy and paste the below PowerShell
command in a Notepad file > update parameters as per your environment >
save this notepad file as .PS1 file
-------------------------------------------------------------------------------------------------------------------------------
$path = “C:\Windows\System32\winevt\Logs”
$extn = “Archive-Security*.evtx”
$size = 1GB
$dest = “\\fileserver01\ADlogsArchival”
get-ChildItem -path $path -recurse
-ErrorAction "SilentlyContinue" -include $Extn | where-Object {$_.Length -gt $size} |
Move-Item -Destination $dest
---------------------------------------------------------------------------------------------------------------------------------
IMP Note: Replace required path and size details
with the one applicable for your environment.
Stage-2: Schedule
this PowerShell script in windows task scheduler
Create a task in windows task scheduler > in Action
tab fill in the details like this...
Program/script:
PowerShell.exe
Add arguments
(optional): -ExecutionPolicy Bypass
C:\DoNotDelete\pscript\LogArchival.ps1
Note: replace the
script path with the one applicable for your environment.
That’s it guys, archival of archived logs will take place automatically
on scheduled time defined by you in the task scheduler. You can enjoy your coffee
now onward and the script will take care of your task...
Cheers, please write me back if you have any query or
feedback on this.
