Dump and Clear EventLogs from Command Line

[lifegard2]

Does anyone know of a way to Dump/Clear and Event Log from the command line? I would prefer to dump it in the default .evt format for the Event Logs. This way I can setup DumpEvt to massage the data for import into a database.

We are required to keep the security log indefinitely for audit trail purposes. (It's a nightmare that I would rather not be doing, but FDA and ISO. . .)

Currently, I have to manually go into the event logs and do a clear, answer yes to the save question, and then save the .evt file to a location on the respective server. However, given that I can't overwrite the logs, but MUST retain them, I need to be able to automatically empty the logs on a regular basis, lest, being human, I forget to do it myself.

Any ideas?

 

[F1lby]

http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

Go to this URL and have a gander..... maybe this utility will do what you are asking.
DOn't forget that the NT shell (command prompt) is far more versatile than the DOS prompt of WIndows 95/98, you will find many extra commands for writing a decent shell script.....

Also the NT resource kit may be of some help too.

 

[kingtyrone]

Hey Lifegard2,

Dumpevt can clear the log for you.
If you read Dumpevt's helpfiles/Readme you'll find a whole whack of switches, one of which clears the log after a successful dump.

I have written a batch file that dumps the logs for all my servers and then clears when it's finished.

Enjoy!

 

[Stiddy]

Here is a batch file I run as a scheduled task on all my servers. I kick it of every two months to dump the eventlogs, compress them, and copy them to a central server that stores all the compressed eventlogs for all servers.

REM put in c:\winnt\system32
FOR /f "tokens=2-4 delims=/ " %%a in ('Date/T') Do Set Month=%%a
FOR /f "tokens=2-4 delims=/ " %%a in ('Date/T') Do Set Year=%%c

dumpel.exe -f c:\temp\security.txt -l security
dumpel.exe -f c:\temp\application.txt -l Application
dumpel.exe -f c:\temp\System.txt -l System

rename c:\temp\Security.txt Security%month%%year%.txt
rename c:\temp\Application.txt Application%month%%year%.txt
rename c:\temp\System.txt System%month%%year%.txt

Compress c:\temp\Security%month%%year%.txt -r -z
Compress c:\temp\Application%month%%year%.txt -r -z
Compress c:\temp\System%month%%year%.txt -r -z

robocopy c:\temp \\Computer_name\A_share_name\eventlogs\%computername% Security%month%%year%.tx_
robocopy c:\temp \\Computer_name\A_share_name\eventlogs\%computername% Application%month%%year%.tx_
robocopy c:\temp \\Computer_name\A_share_name\eventlogs\%computername% System%month%%year%.tx_

robocopy c:\temp c:\winnt\system32\config Security%month%%year%.tx_ /mov
robocopy c:\temp c:\winnt\system32\config Application%month%%year%.tx_ /mov
robocopy c:\temp c:\winnt\system32\config System%month%%year%.tx_ /mov
Del c:\temp\Security%month%%year%.txt
Del C:\temp\Application%month%%year%.txt
Del c:\temp\System%month%%year%.txt




Maybe this will help - Mike

 

[d12]

I run a batch file that is excecuted by "Task Scheduler" or the "at" command. The bat is as follows:

net use z: /del
net use z: \\Log Server\LOGS$
c:
cd\event
evt.exe
move c:\event\*.evt z:\%computername%

"LOGEVT.bat" maps to a share. In my case I have a server dedicated to logs. Then from the "c" drive of each server to be backed up, it runs "evt.exe". That executable will save logs into three .evts (system, application, and security). After they are saved and cleared, the batch file continues and moves the files into a folder out on the share with the servers' name.

Be sure to create the folders on the share before running the batch. (ex: server1, server2). Place the folder with the batch and the .exe on the "c" drive of each server to be backed up. I just named mine event.

I can send you the .exe if need be