Skip to content

Instantly share code, notes, and snippets.

@jkbryan

jkbryan/BACKUP_AND_CLEAR_EVENTLOGS.ps1

Last active Mar 11, 2019
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Script to first backup to file, copy to archive(s) and then clear Windows security event logs.
Raw
BACKUP_AND_CLEAR_EVENTLOGS.ps1
Param(
$computer,
[switch]$clear
)
Function DeleteOldEventLogs {
# Clear old local log files - 7 days kept
$LogdateFormat = "dd-MM-yyyy"
$Logdate = Get-Date -Format $LogdateFormat
$CleanupExec = "C:\BackupScript\DELETEOLD.PS1 -folderpath C:\Event_Logs -fileage 7 -logfile C:\Event_Logs\leanupLog_$Logdate.txt -verboselog"
Invoke-Expression $CleanupExec
}
Function Get-BackUpFolder {
If (!(Test-Path $LocalTarget)) {
New-Item $LocalTarget -type Directory -force | out-Null
}
If (!(Test-Path $RemoteTarget1)) {
New-Item $RemoteTarget1 -type Directory -force | out-Null
}
If (!(Test-Path $RemoteTarget2)) {
New-Item $RemoteTarget2 -type Directory -force | out-Null
}
Backup-Eventlog
}
Function Backup-Eventlog {
$Eventlog = Get-WmiObject -Class Win32_NTEventLogFile -Filter "LogfileName='Security'" -ComputerName $computer
$path = "$LocalTarget\$computer`_Sec_$date.evtx" -f $Computer, $log.LogFileName
$BackupStartTime = Get-Date -Format $timeFormat
$ErrBackup = ($Eventlog.BackupEventLog($path)).ReturnValue
$BackupEndTime = Get-Date -Format $timeFormat
if ($clear) {
if ($ErrBackup -eq 0) {
$ClearStartTime = Get-Date -Format $timeFormat
$errClear = ($Eventlog.ClearEventLog()).ReturnValue
$ClearEndTime = Get-Date -Format $timeFormat
}
else {
$Subject = "Unable to clear event log because backup failed on $Computer "
$Body = "Backup Error was " + $ErrBackup
$smtp.send($Sender, $Recipients, $Subject, $Body)
}
}
Copy-EventlogToArchive
}
Function Copy-EventlogToArchive {
$startCopyTime1 = Get-Date -Format $timeFormat
$Source = Get-ChildItem $LocalTarget
If ($Source -eq $null) {
#Need to give a pseudo value to $LocalTarget and $RemoteTarget 1 & 2 of "Junk" if the folder is empty. If this is not done, compare-object fails..
$LocalTarget = "Junk"
}
$Destination = Get-ChildItem $RemoteTarget1
If ($Destination -eq $null) {
$Destination = "Junk"
}
Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget1 -Force}
if (-not $?) {
$ErrCopy1 = 8008
}
Else {
$ErrCopy1 = 0
}
$endCopyTime1 = Get-Date -Format $timeFormat
If ([int]$ErrCopy1 -ne 0) {
$Subject = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED!!"
$Body = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED"
$smtp.send($Sender, $Recipients, $Subject, $Body)
}
$startCopyTime2 = Get-Date -Format $timeFormat
$Source = Get-ChildItem $LocalTarget
If ($Source -eq $null) {
$LocalTarget = "Junk"
}
$Destination = Get-ChildItem $RemoteTarget2
If ($Destination -eq $null) {
$Destination = "Junk"
}
Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget2 -Force}
if (-not $?) {
$ErrCopy2 = 8008
}
Else {
$ErrCopy2 = 0
}
$endCopyTime2 = Get-Date -Format $timeFormat
If ([int]$ErrCopy2 -ne 0) {
$Subject = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED!!"
$Body = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED"
$smtp.send($Sender, $Recipients, $Subject, $Body)
}
$eventLogFileSize = (Get-Item $path | Measure-Object -property length -sum)
$eventLogFileSize = "{0:N0}" -f ($eventLogFileSize.sum / 1MB)
If ([int]$eventLogFileSize -ge 1000) {
$Subject = "EventLog backup size greater than 1000MB on $Computer "
$Body = "EventLog size is: " + $eventLogFileSize + "MB"
$smtp.send($Sender, $Recipients, $Subject, $Body)
}
$Message = "Summary of Event Log Backup: `n`nBackupStartTime: $BackupStartTime `nBackupEndTime: $BackupEndTime `nErrBackup: $ErrBackup `nClearStartTime: $ClearStartTime `nClearEndTime: $ClearEndTime `nErrClear: $errClear `nStart Copy Time1: $startCopyTime1 `nEnd Copy Time1: $endCopyTime1 `nErrCopy1: $ErrCopy1 `nStart Copy Time2: $startCopyTime2 `nEnd Copy Time2: $endCopyTime2 `nErrCopy2: $ErrCopy2 `nEvent Log File Size MB: $eventLogFileSize"
write-eventlog -logname Application -source BackupEventLog -eventID 1337 -entrytype Information -message $Message -category 1337
$Subject = "Summary of Event Log Backup on $Computer "
$Body = $Message
$smtp.send($Sender, $Recipients, $Subject, $Body)
DeleteOldEventLogs
}
################################################################################################################################################################################################################################################
# *** Entry Point To Script ***
Clear-Host
$timeFormat = "HH:mm:ss"
$dateFormat = "yyMMdd"
$date = Get-Date -Format $dateFormat
$computer = $env:computerName
#
$smtp = new-object system.net.mail.smtpclient -argumentlist smtp.oholics.net
$Sender = "senderaccount@oholics.net"
$Recipients = "jon@oholics.net,helpdesk@oholics.net"
#
If (![system.diagnostics.eventlog]::SourceExists(“BackupEventLog”)) {
[system.diagnostics.EventLog]::CreateEventSource(“BackupEventLog”, “Application”)
}
$LocalTarget = "C:\Event_Logs"
$RemoteTarget1 = "\\archive01.oholics.net\eventlogs$"
$RemoteTarget2 = "\\archive02.oholics.net\eventlogs$"
Get-BackUpFolder
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment