Script to first backup to file, copy to archive(s) and then clear Windows security event logs.

BACKUP_AND_CLEAR_EVENTLOGS.ps1

Param(
    $computer,
    [switch]$clear
)
Function DeleteOldEventLogs {
    # Clear old local log files - 7 days kept
    $LogdateFormat = "dd-MM-yyyy"
    $Logdate = Get-Date -Format $LogdateFormat
    $CleanupExec = "C:\BackupScript\DELETEOLD.PS1 -folderpath C:\Event_Logs -fileage 7 -logfile C:\Event_Logs\leanupLog_$Logdate.txt -verboselog"
    Invoke-Expression $CleanupExec
}	 
Function Get-BackUpFolder {
    If (!(Test-Path $LocalTarget)) {
        New-Item $LocalTarget -type Directory -force  | out-Null
    }
    If (!(Test-Path $RemoteTarget1)) {
        New-Item $RemoteTarget1 -type Directory -force | out-Null
    } 
    If (!(Test-Path $RemoteTarget2)) {
        New-Item $RemoteTarget2 -type Directory -force | out-Null
    } 
    Backup-Eventlog
}
Function Backup-Eventlog {
    $Eventlog = Get-WmiObject -Class Win32_NTEventLogFile -Filter "LogfileName='Security'" -ComputerName $computer
    $path = "$LocalTarget\$computer`_Sec_$date.evtx" -f $Computer, $log.LogFileName
    $BackupStartTime = Get-Date -Format $timeFormat
    $ErrBackup = ($Eventlog.BackupEventLog($path)).ReturnValue
    $BackupEndTime = Get-Date -Format $timeFormat
    if ($clear) {
        if ($ErrBackup -eq 0) {
            $ClearStartTime = Get-Date -Format $timeFormat
            $errClear = ($Eventlog.ClearEventLog()).ReturnValue
            $ClearEndTime = Get-Date -Format $timeFormat
        }
        else { 
            $Subject = "Unable to clear event log because backup failed on $Computer " 
            $Body = "Backup Error was " + $ErrBackup
            $smtp.send($Sender, $Recipients, $Subject, $Body)
        } 
    } 
    Copy-EventlogToArchive 
}
Function Copy-EventlogToArchive {
    $startCopyTime1 = Get-Date -Format $timeFormat
    $Source = Get-ChildItem $LocalTarget
    If ($Source -eq $null) {
        #Need to give a pseudo value to $LocalTarget and $RemoteTarget 1 & 2 of "Junk" if the folder is empty. If this is not done, compare-object fails..
        $LocalTarget = "Junk"
    }
    $Destination = Get-ChildItem $RemoteTarget1
    If ($Destination -eq $null) {
        $Destination = "Junk"
    }
    Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget1 -Force}
    if (-not $?) { 
        $ErrCopy1 = 8008
    }
    Else {
        $ErrCopy1 = 0
    } 
    $endCopyTime1 = Get-Date -Format $timeFormat
    If ([int]$ErrCopy1 -ne 0) {
        $Subject = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED!!" 
        $Body = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED" 
        $smtp.send($Sender, $Recipients, $Subject, $Body)
    }
    $startCopyTime2 = Get-Date -Format $timeFormat
    $Source = Get-ChildItem $LocalTarget
    If ($Source -eq $null) {
        $LocalTarget = "Junk"
    }
    $Destination = Get-ChildItem $RemoteTarget2
    If ($Destination -eq $null) {
        $Destination = "Junk"
    }
    Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget2 -Force}
    if (-not $?) { 
        $ErrCopy2 = 8008
    } 
    Else {
        $ErrCopy2 = 0
    }
    $endCopyTime2 = Get-Date -Format $timeFormat
    If ([int]$ErrCopy2 -ne 0) {
        $Subject = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED!!" 
        $Body = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED" 
        $smtp.send($Sender, $Recipients, $Subject, $Body)
    }
    $eventLogFileSize = (Get-Item $path | Measure-Object -property length -sum)
    $eventLogFileSize = "{0:N0}" -f ($eventLogFileSize.sum / 1MB)
    If ([int]$eventLogFileSize -ge 1000) {
        $Subject = "EventLog backup size greater than 1000MB on $Computer " 
        $Body = "EventLog size is: " + $eventLogFileSize + "MB"
        $smtp.send($Sender, $Recipients, $Subject, $Body)
    }
    $Message = "Summary of Event Log Backup: `n`nBackupStartTime: $BackupStartTime `nBackupEndTime: $BackupEndTime `nErrBackup: $ErrBackup `nClearStartTime: $ClearStartTime `nClearEndTime: $ClearEndTime `nErrClear: $errClear `nStart Copy Time1: $startCopyTime1 `nEnd Copy Time1: $endCopyTime1 `nErrCopy1: $ErrCopy1 `nStart Copy Time2: $startCopyTime2 `nEnd Copy Time2: $endCopyTime2 `nErrCopy2: $ErrCopy2 `nEvent Log File Size MB: $eventLogFileSize"
    write-eventlog -logname Application -source BackupEventLog -eventID 1337 -entrytype Information -message $Message -category 1337
    $Subject = "Summary of Event Log Backup on $Computer " 
    $Body = $Message
    $smtp.send($Sender, $Recipients, $Subject, $Body)
    DeleteOldEventLogs
}
################################################################################################################################################################################################################################################
# *** Entry Point To Script ***
Clear-Host
$timeFormat = "HH:mm:ss"
$dateFormat = "yyMMdd"
$date = Get-Date -Format $dateFormat
$computer = $env:computerName
#
$smtp = new-object system.net.mail.smtpclient -argumentlist smtp.oholics.net
$Sender = "senderaccount@oholics.net"
$Recipients = "jon@oholics.net,helpdesk@oholics.net"
#
If (![system.diagnostics.eventlog]::SourceExists(“BackupEventLog”)) {
    [system.diagnostics.EventLog]::CreateEventSource(“BackupEventLog”, “Application”)
}
$LocalTarget = "C:\Event_Logs"
$RemoteTarget1 = "\\archive01.oholics.net\eventlogs$"
$RemoteTarget2 = "\\archive02.oholics.net\eventlogs$"
Get-BackUpFolder