Friday, August 22, 2008

Script: Backup Event Log (version 2.0)

After a few emails, I went back and revised the code I posted last night to make it a little cleaner and easier to follow. I hope this helps...






Option Explicit



'****************************************************************



' Filename..: event_backups2.vbs



' Author....: David Stein



' Date......: 08/21/08



' Purpose...: backup and clear security event log on local or remote computer



' Notes.....: Set TESTMODE to TRUE to disable real execution and run



' this script in simulation mode only.



' Set DEBUGMODE to TRUE to enable verbose processing output



' during execution (helpful for log capturing also)



'****************************************************************









'****************************************************************



' modify to suit needs



'****************************************************************







'----------------------------------------------------------------



' # name of computer to run against (wrap in dbl quotes)



' # enter a period "." to denote local computer



'----------------------------------------------------------------









Const strComputer = "."







'----------------------------------------------------------------



' # name of event log to backup and clear



' # "Security", "System", "Application", etc.



'----------------------------------------------------------------









Const eventLog = "Security"







'----------------------------------------------------------------



' # local backup folder location



'----------------------------------------------------------------









Const bkFolderPath = "c:\scripts\test\"







'----------------------------------------------------------------



' # enable or disable remote archival of backup file



' # set to True or False only



'----------------------------------------------------------------









Const doRemoteArchive = True







'----------------------------------------------------------------



' # remote storage path (if remote archive is enabled)



'----------------------------------------------------------------









Const rmtFolderPath = "\\MYSERVER\BACKUPS\LOGS\"







'----------------------------------------------------------------



' # naming format for remote archive file



'----------------------------------------------------------------









Const archiveNameFormat = "#COMPUTER#_#LOGNAME#_#YYYY#_#MM#_#DD#.evt"







'----------------------------------------------------------------



' # toggle DEBUG and TEST modes (set True or False only)



'----------------------------------------------------------------









Const debugMode = True



Const testMode = True







'****************************************************************



' Do NOT modify anything below this point !!!



'****************************************************************









Dim sDateStamp, bkFileName, sBackupFilePath, logFileName



Dim objWshNet, sUserName, sCompName, sDomain



Dim objFSO, objWMIService, colLogFiles, errBackupLog, objLogFile



Dim rmtLogPath, logCount







'----------------------------------------------------------------



' # function to pad a string with specified character



' # until it reaches a specified length (either Left or



' # Right end of original string value)



'----------------------------------------------------------------









Function PadString(strVal, strChar, iLen, sEnd)





Dim retval





retval = Trim(strVal)





Do While Len(retval) < iLen





If sEnd = "L" Then





retval = strChar & retval





Else





retval = retval & strChar





End If





Loop





PadString = retval



End Function







'----------------------------------------------------------------



' # sub for verbose output when debugmode is enabled



'----------------------------------------------------------------









Sub DebugPrint(cat, s)





If debugMode = True Then





wscript.echo Now & vbTab & cat & vbTab & s





End If



End Sub







'----------------------------------------------------------------



' # begin code stuff



'----------------------------------------------------------------









Set objWshNet = WScript.CreateObject("WScript.Network")



sDomain = objWshNet.UserDomain



sCompName = objWshNet.ComputerName



sUserName = objWshNet.UserName







'----------------------------------------------------------------



' #: expand logfile name using variable values



'----------------------------------------------------------------









logFileName = Replace(archiveNameFormat, "#COMPUTER#", Ucase(sCompName))



logFileName = Replace(logFileName, "#LOGNAME#", Ucase(eventLog))



logFileName = Replace(logFileName, "#YYYY#", Year(Now))



logFileName = Replace(logFileName, "#MM#", PadString(Month(Now), "0", 2, "L"))



logFileName = Replace(logFileName, "#DD#", PadString(Day(Now), "0", 2, "L"))







sBackupFilePath = bkFolderPath & logFileName







debugprint "info",

"-------------------------------------------------------------"



If testMode = True Then





debugprint "info", "test-mode has been Enabled"



End If



debugprint "info", "eventlog is " & eventLog



debugprint "info", "domain is " & sDomain



debugprint "info", "computername is " & sCompName



debugprint "info", "username is " & sUserName



debugprint "info", "backup filename is " & sBackupFilePath



If doRemoteArchive = True Then





debugprint "info", "remote-archival is Enabled"





debugprint "info", "remote-archival-path is " & rmtFolderPath



End If







Set objFSO = Wscript.CreateObject("Scripting.FileSystemObject")







debugprint "info", "checking for existing backup file..."



If objFSO.FileExists(sBackupFilePath) Then





debugprint "info", "backup file already exists (skipping backup)"



Else





debugprint "info", "no existing backup found, running new backup..."





On Error Resume Next





Set objWMIService = GetObject("winmgmts:" _





& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")





If err.Number <> 0 Then





debugprint "error", "unable to invoke wmi interface (aborting)"





Wscript.Quit





End If









debugprint "info", "querying event log collections on host..."





Set colLogFiles = objWMIService.ExecQuery _





("Select * from Win32_NTEventLogFile where LogFileName='" & eventLog & "'")









'----------------------------------------------------------------





' # check if array is empty / usually caused by lack of permissions





'----------------------------------------------------------------











If IsNull(colLogFiles) Or IsEmpty(colLogFiles) Then





debugprint "error", "unable to retrieve event log collection information

(aborting)"





wscript.Quit





End If









logCount = 0









For Each objLogfile in colLogFiles





logCount = logCount + 1





If testMode = False Then





debugprint "info", "backing up event log..."





errBackupLog = objLogFile.BackupEventLog(sBackupFilePath)





debugprint "info", "event log backup completed"





Else





debugprint "info", "test-mode: backup would be run here"





errBackupLog = 0





End If





If errBackupLog <> 0 Then





debugprint "error", "the [" & eventLog & "] event log could not be backed up"





debugprint "info", "event log will not be cleared"





Else





If testMode = False Then





debugprint "info", "clearing the " & eventLog & " event log..."





objLogFile.ClearEventLog()





Else





debugprint "info", "test-mode: event-log-clearing would be run here"





End If





If doRemoteArchive = True Then





debugprint "info", "remote archival option has been enabled"





If objFSO.FolderExists(rmtFolderPath) Then





If testMode = False Then





debugprint "info", "remote folder path has been verified, archiving backup

file..."





objFSO.CopyFile sBackupFilePath, rmtLogPath





If err.Number <> 0 Then





debugprint "error", "failed to upload copy to archive folder on remote location"





Else





debugprint "info", "backup file was successfully archived to " & rmtLogPath





End If





Else





debugprint "info", "test-mode: remote archive upload would be run here"





End If





Else





debugprint "error", "unable to locate remote archival folder path " &

rmtFolderPath





End If





End If





End If





Next





If logCount = 0 Then





debugprint "error", "unable to access log collections, may imply security access

failure under current context"





End If



End If







debugprint "info", "processing has been completed"






Post a Comment