Option Explicit
'****************************************************************
' Filename..: event_backups2.vbs
' Author....: David Stein
' Date......: 08/21/08
' Purpose...: backup and clear security event log on local or remote computer
' Notes.....: Set TESTMODE to TRUE to disable real execution and run
' this script in simulation mode only.
' Set DEBUGMODE to TRUE to enable verbose processing output
' during execution (helpful for log capturing also)
'****************************************************************
'****************************************************************
' modify to suit needs
'****************************************************************
'----------------------------------------------------------------
' # name of computer to run against (wrap in dbl quotes)
' # enter a period "." to denote local computer
'----------------------------------------------------------------
Const strComputer = "."
'----------------------------------------------------------------
' # name of event log to backup and clear
' # "Security", "System", "Application", etc.
'----------------------------------------------------------------
Const eventLog = "Security"
'----------------------------------------------------------------
' # local backup folder location
'----------------------------------------------------------------
Const bkFolderPath = "c:\scripts\test\"
'----------------------------------------------------------------
' # enable or disable remote archival of backup file
' # set to True or False only
'----------------------------------------------------------------
Const doRemoteArchive = True
'----------------------------------------------------------------
' # remote storage path (if remote archive is enabled)
'----------------------------------------------------------------
Const rmtFolderPath = "\\MYSERVER\BACKUPS\LOGS\"
'----------------------------------------------------------------
' # naming format for remote archive file
'----------------------------------------------------------------
Const archiveNameFormat = "#COMPUTER#_#LOGNAME#_#YYYY#_#MM#_#DD#.evt"
'----------------------------------------------------------------
' # toggle DEBUG and TEST modes (set True or False only)
'----------------------------------------------------------------
Const debugMode = True
Const testMode = True
'****************************************************************
' Do NOT modify anything below this point !!!
'****************************************************************
Dim sDateStamp, bkFileName, sBackupFilePath, logFileName
Dim objWshNet, sUserName, sCompName, sDomain
Dim objFSO, objWMIService, colLogFiles, errBackupLog, objLogFile
Dim rmtLogPath, logCount
'----------------------------------------------------------------
' # function to pad a string with specified character
' # until it reaches a specified length (either Left or
' # Right end of original string value)
'----------------------------------------------------------------
Function PadString(strVal, strChar, iLen, sEnd)
Dim retval
retval = Trim(strVal)
Do While Len(retval) < iLen
If sEnd = "L" Then
retval = strChar & retval
Else
retval = retval & strChar
End If
Loop
PadString = retval
End Function
'----------------------------------------------------------------
' # sub for verbose output when debugmode is enabled
'----------------------------------------------------------------
Sub DebugPrint(cat, s)
If debugMode = True Then
wscript.echo Now & vbTab & cat & vbTab & s
End If
End Sub
'----------------------------------------------------------------
' # begin code stuff
'----------------------------------------------------------------
Set objWshNet = WScript.CreateObject("WScript.Network")
sDomain = objWshNet.UserDomain
sCompName = objWshNet.ComputerName
sUserName = objWshNet.UserName
'----------------------------------------------------------------
' #: expand logfile name using variable values
'----------------------------------------------------------------
logFileName = Replace(archiveNameFormat, "#COMPUTER#", Ucase(sCompName))
logFileName = Replace(logFileName, "#LOGNAME#", Ucase(eventLog))
logFileName = Replace(logFileName, "#YYYY#", Year(Now))
logFileName = Replace(logFileName, "#MM#", PadString(Month(Now), "0", 2, "L"))
logFileName = Replace(logFileName, "#DD#", PadString(Day(Now), "0", 2, "L"))
sBackupFilePath = bkFolderPath & logFileName
debugprint "info",
"-------------------------------------------------------------"
If testMode = True Then
debugprint "info", "test-mode has been Enabled"
End If
debugprint "info", "eventlog is " & eventLog
debugprint "info", "domain is " & sDomain
debugprint "info", "computername is " & sCompName
debugprint "info", "username is " & sUserName
debugprint "info", "backup filename is " & sBackupFilePath
If doRemoteArchive = True Then
debugprint "info", "remote-archival is Enabled"
debugprint "info", "remote-archival-path is " & rmtFolderPath
End If
Set objFSO = Wscript.CreateObject("Scripting.FileSystemObject")
debugprint "info", "checking for existing backup file..."
If objFSO.FileExists(sBackupFilePath) Then
debugprint "info", "backup file already exists (skipping backup)"
Else
debugprint "info", "no existing backup found, running new backup..."
On Error Resume Next
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
If err.Number <> 0 Then
debugprint "error", "unable to invoke wmi interface (aborting)"
Wscript.Quit
End If
debugprint "info", "querying event log collections on host..."
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='" & eventLog & "'")
'----------------------------------------------------------------
' # check if array is empty / usually caused by lack of permissions
'----------------------------------------------------------------
If IsNull(colLogFiles) Or IsEmpty(colLogFiles) Then
debugprint "error", "unable to retrieve event log collection information
(aborting)"
wscript.Quit
End If
logCount = 0
For Each objLogfile in colLogFiles
logCount = logCount + 1
If testMode = False Then
debugprint "info", "backing up event log..."
errBackupLog = objLogFile.BackupEventLog(sBackupFilePath)
debugprint "info", "event log backup completed"
Else
debugprint "info", "test-mode: backup would be run here"
errBackupLog = 0
End If
If errBackupLog <> 0 Then
debugprint "error", "the [" & eventLog & "] event log could not be backed up"
debugprint "info", "event log will not be cleared"
Else
If testMode = False Then
debugprint "info", "clearing the " & eventLog & " event log..."
objLogFile.ClearEventLog()
Else
debugprint "info", "test-mode: event-log-clearing would be run here"
End If
If doRemoteArchive = True Then
debugprint "info", "remote archival option has been enabled"
If objFSO.FolderExists(rmtFolderPath) Then
If testMode = False Then
debugprint "info", "remote folder path has been verified, archiving backup
file..."
objFSO.CopyFile sBackupFilePath, rmtLogPath
If err.Number <> 0 Then
debugprint "error", "failed to upload copy to archive folder on remote location"
Else
debugprint "info", "backup file was successfully archived to " & rmtLogPath
End If
Else
debugprint "info", "test-mode: remote archive upload would be run here"
End If
Else
debugprint "error", "unable to locate remote archival folder path " &
rmtFolderPath
End If
End If
End If
Next
If logCount = 0 Then
debugprint "error", "unable to access log collections, may imply security access
failure under current context"
End If
End If
debugprint "info", "processing has been completed"
Friday, August 22, 2008
Script: Backup Event Log (version 2.0)
After a few emails, I went back and revised the code I posted last night to make it a little cleaner and easier to follow. I hope this helps...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment