Skip to content

Instantly share code, notes, and snippets.

@jkbryan

jkbryan/BACKUP_AND_CLEAR_EVENTLOGS.ps1

Last active March 11, 2019 09:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jkbryan/480e7850b72c88634993a5dcd436073f to your computer and use it in GitHub Desktop.
Save jkbryan/480e7850b72c88634993a5dcd436073f to your computer and use it in GitHub Desktop.
Download ZIP
Script to first backup to file, copy to archive(s) and then clear Windows security event logs.
Raw
BACKUP_AND_CLEAR_EVENTLOGS.ps1
Param(
$computer,
[switch]$clear
)
Function DeleteOldEventLogs {
# Clear old local log files - 7 days kept
$LogdateFormat = "dd-MM-yyyy"
$Logdate = Get-Date -Format $LogdateFormat
$CleanupExec = "C:\BackupScript\DELETEOLD.PS1 -folderpath C:\Event_Logs -fileage 7 -logfile C:\Event_Logs\leanupLog_$Logdate.txt -verboselog"
Invoke-Expression $CleanupExec
}
Function Get-BackUpFolder {
If (!(Test-Path $LocalTarget)) {
New-Item $LocalTarget -type Directory -force | out-Null
}
If (!(Test-Path $RemoteTarget1)) {
New-Item $RemoteTarget1 -type Directory -force | out-Null
}
If (!(Test-Path $RemoteTarget2)) {
New-Item $RemoteTarget2 -type Directory -force | out-Null
}
Backup-Eventlog
}
Function Backup-Eventlog {
$Eventlog = Get-WmiObject -Class Win32_NTEventLogFile -Filter "LogfileName='Security'" -ComputerName $computer
$path = "$LocalTarget\$computer`_Sec_$date.evtx" -f $Computer, $log.LogFileName
$BackupStartTime = Get-Date -Format $timeFormat
$ErrBackup = ($Eventlog.BackupEventLog($path)).ReturnValue
$BackupEndTime = Get-Date -Format $timeFormat
if ($clear) {
if ($ErrBackup -eq 0) {
$ClearStartTime = Get-Date -Format $timeFormat
$errClear = ($Eventlog.ClearEventLog()).ReturnValue
$ClearEndTime = Get-Date -Format $timeFormat
}
else {
$Subject = "Unable to clear event log because backup failed on $Computer "
$Body = "Backup Error was " + $ErrBackup
$smtp.send($Sender, $Recipients, $Subject, $Body)
}
}
Copy-EventlogToArchive
}
Function Copy-EventlogToArchive {
$startCopyTime1 = Get-Date -Format $timeFormat
$Source = Get-ChildItem $LocalTarget
If ($Source -eq $null) {
#Need to give a pseudo value to $LocalTarget and $RemoteTarget 1 & 2 of "Junk" if the folder is empty. If this is not done, compare-object fails..
$LocalTarget = "Junk"
}
$Destination = Get-ChildItem $RemoteTarget1
If ($Destination -eq $null) {
$Destination = "Junk"
}
Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget1 -Force}
if (-not $?) {
$ErrCopy1 = 8008
}
Else {
$ErrCopy1 = 0
}
$endCopyTime1 = Get-Date -Format $timeFormat
If ([int]$ErrCopy1 -ne 0) {
$Subject = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED!!"
$Body = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED"
$smtp.send($Sender, $Recipients, $Subject, $Body)
}
$startCopyTime2 = Get-Date -Format $timeFormat
$Source = Get-ChildItem $LocalTarget
If ($Source -eq $null) {
$LocalTarget = "Junk"
}
$Destination = Get-ChildItem $RemoteTarget2
If ($Destination -eq $null) {
$Destination = "Junk"
}
Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget2 -Force}
if (-not $?) {
$ErrCopy2 = 8008
}
Else {
$ErrCopy2 = 0
}
$endCopyTime2 = Get-Date -Format $timeFormat
If ([int]$ErrCopy2 -ne 0) {
$Subject = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED!!"
$Body = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED"
$smtp.send($Sender, $Recipients, $Subject, $Body)
}
$eventLogFileSize = (Get-Item $path | Measure-Object -property length -sum)
$eventLogFileSize = "{0:N0}" -f ($eventLogFileSize.sum / 1MB)
If ([int]$eventLogFileSize -ge 1000) {
$Subject = "EventLog backup size greater than 1000MB on $Computer "
$Body = "EventLog size is: " + $eventLogFileSize + "MB"
$smtp.send($Sender, $Recipients, $Subject, $Body)
}
$Message = "Summary of Event Log Backup: `n`nBackupStartTime: $BackupStartTime `nBackupEndTime: $BackupEndTime `nErrBackup: $ErrBackup `nClearStartTime: $ClearStartTime `nClearEndTime: $ClearEndTime `nErrClear: $errClear `nStart Copy Time1: $startCopyTime1 `nEnd Copy Time1: $endCopyTime1 `nErrCopy1: $ErrCopy1 `nStart Copy Time2: $startCopyTime2 `nEnd Copy Time2: $endCopyTime2 `nErrCopy2: $ErrCopy2 `nEvent Log File Size MB: $eventLogFileSize"
write-eventlog -logname Application -source BackupEventLog -eventID 1337 -entrytype Information -message $Message -category 1337
$Subject = "Summary of Event Log Backup on $Computer "
$Body = $Message
$smtp.send($Sender, $Recipients, $Subject, $Body)
DeleteOldEventLogs
}
################################################################################################################################################################################################################################################
# *** Entry Point To Script ***
Clear-Host
$timeFormat = "HH:mm:ss"
$dateFormat = "yyMMdd"
$date = Get-Date -Format $dateFormat
$computer = $env:computerName
#
$smtp = new-object system.net.mail.smtpclient -argumentlist smtp.oholics.net
$Sender = "senderaccount@oholics.net"
$Recipients = "jon@oholics.net,helpdesk@oholics.net"
#
If (![system.diagnostics.eventlog]::SourceExists(“BackupEventLog”)) {
[system.diagnostics.EventLog]::CreateEventSource(“BackupEventLog”, “Application”)
}
$LocalTarget = "C:\Event_Logs"
$RemoteTarget1 = "\\archive01.oholics.net\eventlogs$"
$RemoteTarget2 = "\\archive02.oholics.net\eventlogs$"
Get-BackUpFolder
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment