Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
best way to delete or archive some log files on a regular basis
- Thread starter droodle
- Start date
Got permission, and as long as credit is given, then it's cool. With a little bit of tweaking, this could be exactly what you are looking for.
Code:
'********************************************************************************
'* EventLogArchive.vbs *
'* by Thomas Jones *
'* January 2006 *
'* This script does the following: *
'* queries the system, to determine the installed logs. *
'* achives the logs to a specified location. *
'* The file name is TypeofLog_FirstEventTime_LastEventTime.evt *
'* To save space the file is compressed into a cab. *
'* The origional evt archive file is deleted. *
'* The Event Log is then cleared *
'* A Application Event with the results of the process is written. *
'********************************************************************************
Option Explicit
'Declaring Constants and Array
Const strPath = "F:\Logs\"
Const intEventSuccess = 0
Const strComputer = "."
'Declaring Variables
Dim garrEventLogNames
Dim gstrArchiveFileName
Dim gstrLogName
Dim intCount
Dim intErrBkupLog
intErrBkupLog = 0
intCount = 0
garrEventLogNames = GetLogNames()
For intCount = LBound(garrEventLogNames) to UBound(garrEventLogNames)
'Confining the loop to the array size
gstrLogName = garrEventLogNames(intCount) 'Storing the Log Name
gstrArchiveFileName = CreateArchiveFileName(gstrLogName)
Call ArchiveEventLog(gstrArchiveFileName, gstrLogName)
ClearEventLog(gstrLogName)
WriteEvent(gstrLogName)
CreateCab(gstrArchiveFileName)
Next
DeleteEVTFiles()
WScript.Quit 'End of Script
Function GetLogNames()
'********************************************************************************
'* Function GetLogNames() *
'* Determines the logs existing on the system. *
'* Expects: Nothing. *
'* Returns: an array of log names. *
'********************************************************************************
Dim arrLogNames
Dim strEmpty
Dim strReferral
strEmpty = ""
strReferral = "GetLogNames"
arrLogNames = CreateEventObject(strEmpty, strReferral, strEmpty)
GetLogNames = arrLogNames
End Function
Function CreateArchiveFileName(strLogName)
'********************************************************************************
'* Function CreateArchiveFileName() *
'* Determines the new archive file name. *
'* by the timestamp on the first and last event in a selected log. *
'* Expects: The log name. *
'* Returns: The archive file name. *
'********************************************************************************
Dim strFirstEvent
Dim strLastEvent
Dim intNumOfEvents
Dim strBackupName
Dim strEmpty
Dim strReferral
strEmpty = ""
strReferral = "GetNumOfEvents"
intNumOfEvents = CreateEventObject(strLogName, strReferral, strEmpty)
' Import the num of recs in the Event Log.
strReferral = "GetFirstEvent"
strFirstEvent = CreateEventObject(strLogName, strReferral, strEmpty)
strReferral = "GetLastEvent"
strLastEvent = CreateEventObject(strLogName, strReferral, intNumOfEvents)
' Beginning For Loop to store the lastobjInstalledLogFiles
' event in log to timestamp the archive file.
strFirstEvent = Left(strFirstEvent, 14)
' Trim the string only to contain YYYYMMDDHHMMSS
strLastEvent = Left(strLastEvent, 14)
' Trim the string only to contain YYYYMMDDHHMMSS
strBackupName = gstrLogName & "_" & strFirstEvent & "_" & _
strLastEvent & ".evt" 'Concatenate and build the archive event file name
CreateArchiveFileName = strBackupName
End Function
Function CreateEventObject(strLogName, strReferral, varParameter)
'********************************************************************************
'* Function CreateEventObject() *
'* Querying System to build objects. *
'* Expects: The log name, the function from, an additional parameter. *
'* Returns: the event object or nothing depending on the select. *
'********************************************************************************
Dim strImpersonate
Dim objLog
Dim objWMIService
Dim objLogFile
Dim arrLocal
Dim strRootQuery
Dim strEventLogQuery
Dim strFirstEvent
Dim strLastEvent
Dim intNumOfEvents
Dim intEventCount
If strLogName = "Security" Then
strImpersonate = strLogName & ", Backup"
Else
strImpersonate = "Backup"
End If
Select Case strReferral
Case "GetLogNames"
strRootQuery = "winmgmts:" & _
"{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\cimv2"
strEventLogQuery = "Select * from Win32_NTEventLogFile"
Set objWMIService = GetObject(strRootQuery)
Err.Clear
Set objLog = objWMIService.ExecQuery(strEventLogQuery)
ReDim arrLocal(objLog.Count - 1)
For Each objLogFile in objLog
arrLocal(intEventCount) = objLogFile.LogFileName
intEventCount = intEventCount + 1
Next
CreateEventObject = arrLocal
Case "GetNumOfEvents"
strRootQuery = "winmgmts:{impersonationLevel=impersonate,(" & _
strImpersonate & ")}!\\" & strComputer & "\root\cimv2"
strEventLogQuery = _
"Select * from Win32_NTEventLogFile where LogFileName=" & _
"'" & strLogName & "'"
Set objWMIService = GetObject(strRootQuery) 'Creating System Object
Err.Clear
Set objLog = objWMIService.ExecQuery(strEventLogQuery)
intNumOfEvents = 0
For Each objLogFile in objLog
intNumOfEvents = objLogFile.NumberOfRecords
Next
CreateEventObject = intNumOfEvents
Case "GetFirstEvent"
strRootQuery = "winmgmts:" & "{impersonationLevel=impersonate,(" & _
strImpersonate & ")}!\\" & strComputer & "\root\cimv2"
strEventLogQuery = "Select * from Win32_NTLogEvent where LogFile=" & _
"'" & strLogName & "'" & " AND " & "RecordNumber = " & 1
Set objWMIService = GetObject(strRootQuery) 'Creating System Object
Err.Clear
Set objLog = objWMIService.ExecQuery(strEventLogQuery)
For Each objLogFile in objLog
strFirstEvent = objLogFile.TimeWritten
Next
CreateEventObject = strFirstEvent
Case "GetLastEvent"
strRootQuery = "winmgmts:" & "{impersonationLevel=impersonate,(" & _
strImpersonate & ")}!\\" & strComputer & "\root\cimv2"
strEventLogQuery = "Select * from Win32_NTLogEvent where LogFile=" & _
"'" & strLogName & "'" & " AND " & "RecordNumber = " & varParameter
Set objWMIService = GetObject(strRootQuery) 'Creating System Object
Err.Clear
Set objLog = objWMIService.ExecQuery(strEventLogQuery)
For Each objLogFile in objLog
strLastEvent = objLogFile.TimeWritten
Next
CreateEventObject = strLastEvent
Case "ArchiveEventLog"
strRootQuery = "winmgmts:" & "{impersonationLevel=impersonate,(" & _
strImpersonate & ")}!\\" & strComputer & "\root\cimv2"
strEventLogQuery = _
"Select * from Win32_NTEventLogFile where LogFileName=" & _
"'" & strLogName & "'"
Set objWMIService = GetObject(strRootQuery) 'Creating System Object
Err.Clear
Set objLog = objWMIService.ExecQuery(strEventLogQuery)
For Each objLogFile in objLog
intErrBkupLog = objLogFile.BackupEventLog(strPath & varParameter)
Next
Case "ClearEventLog"
strRootQuery = "winmgmts:" & "{impersonationLevel=impersonate,(" & _
strImpersonate & ")}!\\" & strComputer & "\root\cimv2"
strEventLogQuery = _
"Select * from Win32_NTEventLogFile where LogFileName=" & _
"'" & strLogName & "'"
Set objWMIService = GetObject(strRootQuery) 'Creating System Object
Err.Clear
Set objLog = objWMIService.ExecQuery(strEventLogQuery)
For Each objLogFile in objLog
intErrBkupLog = objLogFile.ClearEventLog() 'Clear event log.
Next
End Select
End Function
Sub ArchiveEventLog(strFileName, strLogName)
'********************************************************************************
'* Subroutine ArchiveEventLog() *
'* Archive the specified Event Log. *
'* Expects: The log file name and the log name. *
'* Returns: Nothing. *
'********************************************************************************
Dim objInstalledLogFiles
Dim strReferral
strReferral = "ArchiveEventLog"
objInstalledLogFiles = CreateEventObject(strLogName, strReferral, strFileName)
End Sub
Sub ClearEventLog(strLogName)
'********************************************************************************
'* Subroutine ClearEventLog() *
'* Clear the Event Logs. *
'* Expects: The log name. *
'* Returns: Nothing. *
'********************************************************************************
Dim strReferral
Dim strEmpty
strReferral = "ClearEventLog"
strEmpty = ""
Call CreateEventObject(strLogName, strReferral, strEmpty)
End Sub
Sub WriteEvent(strLogName)
'********************************************************************************
'* Subroutine WriteEvent() *
'* Write the result to the Application Log. *
'* Expects: The log name. *
'* Returns: Nothing. *
'********************************************************************************
Dim objShell
Set objShell = Wscript.CreateObject("Wscript.Shell")
If intErrBkupLog <> 0 Then
objShell.LogEvent intEventSuccess, strLogName & " Log was NOT archived."
Else
objShell.LogEvent intEventSuccess, strLogName & " Log was archived to " _
& strPath & "."
End If
End Sub
Sub CreateCab(strFileName)
'********************************************************************************
'* Subroutine CreateCab() *
'* Compress Logs using makecab.exe *
'* Expects: The log name. *
'* Returns: Nothing. *
'********************************************************************************
Dim objShell
Dim objFSO
Dim strCommand
Dim objFileDelete
Dim intRunError
strCommand = "cmd /c makecab " & chr(34) & strPath & strFileName & chr(34) & " " & chr(34) & strPath & strFileName & ".cab" & chr(34)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.Run(strCommand),0,True
End Sub
Sub DeleteEVTFiles()
'********************************************************************************
'* Subroutine DeleteCreateCab() *
'* Compress Logs using makecab.exe *
'* Expects: The log name. *
'* Returns: Nothing. *
'********************************************************************************
Dim objFSO
Const DeleteReadOnly = TRUE
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile(strPath & "*.evt")', DeleteReadOnly
End Sub- Thread starter
- #4
Depending on the application, you may need to have an archive. It will also depend on your business, and the laws that are applicable to that business.
Deletion isn't always the best case scenario, unless you are reviewing those logs on a day to day basis, ensuring that only appropriate things are going on. You can tell a lot just from an error that is going on if the system has been compromised.
Anyway, I wouldn't say that the above is extreme, as all it is is a .vbs script, with very little overhead. It is relatively easy to figure out, as the author of the script even put in remarks to let you know what he is doing (anything starting with a '). Looking at may give you another idea of the direction you want to go.
Deletion isn't always the best case scenario, unless you are reviewing those logs on a day to day basis, ensuring that only appropriate things are going on. You can tell a lot just from an error that is going on if the system has been compromised.
Anyway, I wouldn't say that the above is extreme, as all it is is a .vbs script, with very little overhead. It is relatively easy to figure out, as the author of the script even put in remarks to let you know what he is doing (anything starting with a '). Looking at may give you another idea of the direction you want to go.
- Thread starter
- #7
this is my fault for not explaining it properly.
my application creates log files say every hour and data is written to it then it stops after an hour and another log file is created with a different time stamp.
eg
2008021011.log
2008021012.log
2008021013.log
Another application then reads the data in the log file and creates rrd files where the data is stored and the log files are no longer needed and they do not delete.
- Status
Similar threads
- Locked
- Question
- Locked
- Question