Script to first backup to file, copy to archive(s) and then clear Windows security event logs.
| Param( | |
| $computer, | |
| [switch]$clear | |
| ) | |
| Function DeleteOldEventLogs { | |
| # Clear old local log files - 7 days kept | |
| $LogdateFormat = "dd-MM-yyyy" | |
| $Logdate = Get-Date -Format $LogdateFormat | |
| $CleanupExec = "C:\BackupScript\DELETEOLD.PS1 -folderpath C:\Event_Logs -fileage 7 -logfile C:\Event_Logs\leanupLog_$Logdate.txt -verboselog" | |
| Invoke-Expression $CleanupExec | |
| } | |
| Function Get-BackUpFolder { | |
| If (!(Test-Path $LocalTarget)) { | |
| New-Item $LocalTarget -type Directory -force | out-Null | |
| } | |
| If (!(Test-Path $RemoteTarget1)) { | |
| New-Item $RemoteTarget1 -type Directory -force | out-Null | |
| } | |
| If (!(Test-Path $RemoteTarget2)) { | |
| New-Item $RemoteTarget2 -type Directory -force | out-Null | |
| } | |
| Backup-Eventlog | |
| } | |
| Function Backup-Eventlog { | |
| $Eventlog = Get-WmiObject -Class Win32_NTEventLogFile -Filter "LogfileName='Security'" -ComputerName $computer | |
| $path = "$LocalTarget\$computer`_Sec_$date.evtx" -f $Computer, $log.LogFileName | |
| $BackupStartTime = Get-Date -Format $timeFormat | |
| $ErrBackup = ($Eventlog.BackupEventLog($path)).ReturnValue | |
| $BackupEndTime = Get-Date -Format $timeFormat | |
| if ($clear) { | |
| if ($ErrBackup -eq 0) { | |
| $ClearStartTime = Get-Date -Format $timeFormat | |
| $errClear = ($Eventlog.ClearEventLog()).ReturnValue | |
| $ClearEndTime = Get-Date -Format $timeFormat | |
| } | |
| else { | |
| $Subject = "Unable to clear event log because backup failed on $Computer " | |
| $Body = "Backup Error was " + $ErrBackup | |
| $smtp.send($Sender, $Recipients, $Subject, $Body) | |
| } | |
| } | |
| Copy-EventlogToArchive | |
| } | |
| Function Copy-EventlogToArchive { | |
| $startCopyTime1 = Get-Date -Format $timeFormat | |
| $Source = Get-ChildItem $LocalTarget | |
| If ($Source -eq $null) { | |
| #Need to give a pseudo value to $LocalTarget and $RemoteTarget 1 & 2 of "Junk" if the folder is empty. If this is not done, compare-object fails.. | |
| $LocalTarget = "Junk" | |
| } | |
| $Destination = Get-ChildItem $RemoteTarget1 | |
| If ($Destination -eq $null) { | |
| $Destination = "Junk" | |
| } | |
| Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget1 -Force} | |
| if (-not $?) { | |
| $ErrCopy1 = 8008 | |
| } | |
| Else { | |
| $ErrCopy1 = 0 | |
| } | |
| $endCopyTime1 = Get-Date -Format $timeFormat | |
| If ([int]$ErrCopy1 -ne 0) { | |
| $Subject = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED!!" | |
| $Body = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED" | |
| $smtp.send($Sender, $Recipients, $Subject, $Body) | |
| } | |
| $startCopyTime2 = Get-Date -Format $timeFormat | |
| $Source = Get-ChildItem $LocalTarget | |
| If ($Source -eq $null) { | |
| $LocalTarget = "Junk" | |
| } | |
| $Destination = Get-ChildItem $RemoteTarget2 | |
| If ($Destination -eq $null) { | |
| $Destination = "Junk" | |
| } | |
| Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget2 -Force} | |
| if (-not $?) { | |
| $ErrCopy2 = 8008 | |
| } | |
| Else { | |
| $ErrCopy2 = 0 | |
| } | |
| $endCopyTime2 = Get-Date -Format $timeFormat | |
| If ([int]$ErrCopy2 -ne 0) { | |
| $Subject = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED!!" | |
| $Body = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED" | |
| $smtp.send($Sender, $Recipients, $Subject, $Body) | |
| } | |
| $eventLogFileSize = (Get-Item $path | Measure-Object -property length -sum) | |
| $eventLogFileSize = "{0:N0}" -f ($eventLogFileSize.sum / 1MB) | |
| If ([int]$eventLogFileSize -ge 1000) { | |
| $Subject = "EventLog backup size greater than 1000MB on $Computer " | |
| $Body = "EventLog size is: " + $eventLogFileSize + "MB" | |
| $smtp.send($Sender, $Recipients, $Subject, $Body) | |
| } | |
| $Message = "Summary of Event Log Backup: `n`nBackupStartTime: $BackupStartTime `nBackupEndTime: $BackupEndTime `nErrBackup: $ErrBackup `nClearStartTime: $ClearStartTime `nClearEndTime: $ClearEndTime `nErrClear: $errClear `nStart Copy Time1: $startCopyTime1 `nEnd Copy Time1: $endCopyTime1 `nErrCopy1: $ErrCopy1 `nStart Copy Time2: $startCopyTime2 `nEnd Copy Time2: $endCopyTime2 `nErrCopy2: $ErrCopy2 `nEvent Log File Size MB: $eventLogFileSize" | |
| write-eventlog -logname Application -source BackupEventLog -eventID 1337 -entrytype Information -message $Message -category 1337 | |
| $Subject = "Summary of Event Log Backup on $Computer " | |
| $Body = $Message | |
| $smtp.send($Sender, $Recipients, $Subject, $Body) | |
| DeleteOldEventLogs | |
| } | |
| ################################################################################################################################################################################################################################################ | |
| # *** Entry Point To Script *** | |
| Clear-Host | |
| $timeFormat = "HH:mm:ss" | |
| $dateFormat = "yyMMdd" | |
| $date = Get-Date -Format $dateFormat | |
| $computer = $env:computerName | |
| # | |
| $smtp = new-object system.net.mail.smtpclient -argumentlist smtp.oholics.net | |
| $Sender = "senderaccount@oholics.net" | |
| $Recipients = "jon@oholics.net,helpdesk@oholics.net" | |
| # | |
| If (![system.diagnostics.eventlog]::SourceExists(“BackupEventLog”)) { | |
| [system.diagnostics.EventLog]::CreateEventSource(“BackupEventLog”, “Application”) | |
| } | |
| $LocalTarget = "C:\Event_Logs" | |
| $RemoteTarget1 = "\\archive01.oholics.net\eventlogs$" | |
| $RemoteTarget2 = "\\archive02.oholics.net\eventlogs$" | |
| Get-BackUpFolder |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment