Last active
March 11, 2019 09:41
-
-
Save jkbryan/480e7850b72c88634993a5dcd436073f to your computer and use it in GitHub Desktop.
Script to first backup to file, copy to archive(s) and then clear Windows security event logs.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Param( | |
$computer, | |
[switch]$clear | |
) | |
Function DeleteOldEventLogs { | |
# Clear old local log files - 7 days kept | |
$LogdateFormat = "dd-MM-yyyy" | |
$Logdate = Get-Date -Format $LogdateFormat | |
$CleanupExec = "C:\BackupScript\DELETEOLD.PS1 -folderpath C:\Event_Logs -fileage 7 -logfile C:\Event_Logs\leanupLog_$Logdate.txt -verboselog" | |
Invoke-Expression $CleanupExec | |
} | |
Function Get-BackUpFolder { | |
If (!(Test-Path $LocalTarget)) { | |
New-Item $LocalTarget -type Directory -force | out-Null | |
} | |
If (!(Test-Path $RemoteTarget1)) { | |
New-Item $RemoteTarget1 -type Directory -force | out-Null | |
} | |
If (!(Test-Path $RemoteTarget2)) { | |
New-Item $RemoteTarget2 -type Directory -force | out-Null | |
} | |
Backup-Eventlog | |
} | |
Function Backup-Eventlog { | |
$Eventlog = Get-WmiObject -Class Win32_NTEventLogFile -Filter "LogfileName='Security'" -ComputerName $computer | |
$path = "$LocalTarget\$computer`_Sec_$date.evtx" -f $Computer, $log.LogFileName | |
$BackupStartTime = Get-Date -Format $timeFormat | |
$ErrBackup = ($Eventlog.BackupEventLog($path)).ReturnValue | |
$BackupEndTime = Get-Date -Format $timeFormat | |
if ($clear) { | |
if ($ErrBackup -eq 0) { | |
$ClearStartTime = Get-Date -Format $timeFormat | |
$errClear = ($Eventlog.ClearEventLog()).ReturnValue | |
$ClearEndTime = Get-Date -Format $timeFormat | |
} | |
else { | |
$Subject = "Unable to clear event log because backup failed on $Computer " | |
$Body = "Backup Error was " + $ErrBackup | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
} | |
} | |
Copy-EventlogToArchive | |
} | |
Function Copy-EventlogToArchive { | |
$startCopyTime1 = Get-Date -Format $timeFormat | |
$Source = Get-ChildItem $LocalTarget | |
If ($Source -eq $null) { | |
#Need to give a pseudo value to $LocalTarget and $RemoteTarget 1 & 2 of "Junk" if the folder is empty. If this is not done, compare-object fails.. | |
$LocalTarget = "Junk" | |
} | |
$Destination = Get-ChildItem $RemoteTarget1 | |
If ($Destination -eq $null) { | |
$Destination = "Junk" | |
} | |
Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget1 -Force} | |
if (-not $?) { | |
$ErrCopy1 = 8008 | |
} | |
Else { | |
$ErrCopy1 = 0 | |
} | |
$endCopyTime1 = Get-Date -Format $timeFormat | |
If ([int]$ErrCopy1 -ne 0) { | |
$Subject = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED!!" | |
$Body = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED" | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
} | |
$startCopyTime2 = Get-Date -Format $timeFormat | |
$Source = Get-ChildItem $LocalTarget | |
If ($Source -eq $null) { | |
$LocalTarget = "Junk" | |
} | |
$Destination = Get-ChildItem $RemoteTarget2 | |
If ($Destination -eq $null) { | |
$Destination = "Junk" | |
} | |
Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget2 -Force} | |
if (-not $?) { | |
$ErrCopy2 = 8008 | |
} | |
Else { | |
$ErrCopy2 = 0 | |
} | |
$endCopyTime2 = Get-Date -Format $timeFormat | |
If ([int]$ErrCopy2 -ne 0) { | |
$Subject = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED!!" | |
$Body = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED" | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
} | |
$eventLogFileSize = (Get-Item $path | Measure-Object -property length -sum) | |
$eventLogFileSize = "{0:N0}" -f ($eventLogFileSize.sum / 1MB) | |
If ([int]$eventLogFileSize -ge 1000) { | |
$Subject = "EventLog backup size greater than 1000MB on $Computer " | |
$Body = "EventLog size is: " + $eventLogFileSize + "MB" | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
} | |
$Message = "Summary of Event Log Backup: `n`nBackupStartTime: $BackupStartTime `nBackupEndTime: $BackupEndTime `nErrBackup: $ErrBackup `nClearStartTime: $ClearStartTime `nClearEndTime: $ClearEndTime `nErrClear: $errClear `nStart Copy Time1: $startCopyTime1 `nEnd Copy Time1: $endCopyTime1 `nErrCopy1: $ErrCopy1 `nStart Copy Time2: $startCopyTime2 `nEnd Copy Time2: $endCopyTime2 `nErrCopy2: $ErrCopy2 `nEvent Log File Size MB: $eventLogFileSize" | |
write-eventlog -logname Application -source BackupEventLog -eventID 1337 -entrytype Information -message $Message -category 1337 | |
$Subject = "Summary of Event Log Backup on $Computer " | |
$Body = $Message | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
DeleteOldEventLogs | |
} | |
################################################################################################################################################################################################################################################ | |
# *** Entry Point To Script *** | |
Clear-Host | |
$timeFormat = "HH:mm:ss" | |
$dateFormat = "yyMMdd" | |
$date = Get-Date -Format $dateFormat | |
$computer = $env:computerName | |
# | |
$smtp = new-object system.net.mail.smtpclient -argumentlist smtp.oholics.net | |
$Sender = "senderaccount@oholics.net" | |
$Recipients = "jon@oholics.net,helpdesk@oholics.net" | |
# | |
If (![system.diagnostics.eventlog]::SourceExists(“BackupEventLog”)) { | |
[system.diagnostics.EventLog]::CreateEventSource(“BackupEventLog”, “Application”) | |
} | |
$LocalTarget = "C:\Event_Logs" | |
$RemoteTarget1 = "\\archive01.oholics.net\eventlogs$" | |
$RemoteTarget2 = "\\archive02.oholics.net\eventlogs$" | |
Get-BackUpFolder |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment