Script to first backup to file, copy to archive(s) and then clear Windows security event logs.
Param( | |
$computer, | |
[switch]$clear | |
) | |
Function DeleteOldEventLogs { | |
# Clear old local log files - 7 days kept | |
$LogdateFormat = "dd-MM-yyyy" | |
$Logdate = Get-Date -Format $LogdateFormat | |
$CleanupExec = "C:\BackupScript\DELETEOLD.PS1 -folderpath C:\Event_Logs -fileage 7 -logfile C:\Event_Logs\leanupLog_$Logdate.txt -verboselog" | |
Invoke-Expression $CleanupExec | |
} | |
Function Get-BackUpFolder { | |
If (!(Test-Path $LocalTarget)) { | |
New-Item $LocalTarget -type Directory -force | out-Null | |
} | |
If (!(Test-Path $RemoteTarget1)) { | |
New-Item $RemoteTarget1 -type Directory -force | out-Null | |
} | |
If (!(Test-Path $RemoteTarget2)) { | |
New-Item $RemoteTarget2 -type Directory -force | out-Null | |
} | |
Backup-Eventlog | |
} | |
Function Backup-Eventlog { | |
$Eventlog = Get-WmiObject -Class Win32_NTEventLogFile -Filter "LogfileName='Security'" -ComputerName $computer | |
$path = "$LocalTarget\$computer`_Sec_$date.evtx" -f $Computer, $log.LogFileName | |
$BackupStartTime = Get-Date -Format $timeFormat | |
$ErrBackup = ($Eventlog.BackupEventLog($path)).ReturnValue | |
$BackupEndTime = Get-Date -Format $timeFormat | |
if ($clear) { | |
if ($ErrBackup -eq 0) { | |
$ClearStartTime = Get-Date -Format $timeFormat | |
$errClear = ($Eventlog.ClearEventLog()).ReturnValue | |
$ClearEndTime = Get-Date -Format $timeFormat | |
} | |
else { | |
$Subject = "Unable to clear event log because backup failed on $Computer " | |
$Body = "Backup Error was " + $ErrBackup | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
} | |
} | |
Copy-EventlogToArchive | |
} | |
Function Copy-EventlogToArchive { | |
$startCopyTime1 = Get-Date -Format $timeFormat | |
$Source = Get-ChildItem $LocalTarget | |
If ($Source -eq $null) { | |
#Need to give a pseudo value to $LocalTarget and $RemoteTarget 1 & 2 of "Junk" if the folder is empty. If this is not done, compare-object fails.. | |
$LocalTarget = "Junk" | |
} | |
$Destination = Get-ChildItem $RemoteTarget1 | |
If ($Destination -eq $null) { | |
$Destination = "Junk" | |
} | |
Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget1 -Force} | |
if (-not $?) { | |
$ErrCopy1 = 8008 | |
} | |
Else { | |
$ErrCopy1 = 0 | |
} | |
$endCopyTime1 = Get-Date -Format $timeFormat | |
If ([int]$ErrCopy1 -ne 0) { | |
$Subject = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED!!" | |
$Body = "EventLog backup copy to $RemoteTarget1 on $Computer FAILED" | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
} | |
$startCopyTime2 = Get-Date -Format $timeFormat | |
$Source = Get-ChildItem $LocalTarget | |
If ($Source -eq $null) { | |
$LocalTarget = "Junk" | |
} | |
$Destination = Get-ChildItem $RemoteTarget2 | |
If ($Destination -eq $null) { | |
$Destination = "Junk" | |
} | |
Compare-Object $Source $Destination -Property Name | Where-Object {$_.Name -Match $Computer -and $_.SideIndicator -eq "<="} | ForEach-Object {Copy-Item -Path $LocalTarget"\$($_.name)" -Destination $RemoteTarget2 -Force} | |
if (-not $?) { | |
$ErrCopy2 = 8008 | |
} | |
Else { | |
$ErrCopy2 = 0 | |
} | |
$endCopyTime2 = Get-Date -Format $timeFormat | |
If ([int]$ErrCopy2 -ne 0) { | |
$Subject = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED!!" | |
$Body = "EventLog backup copy to $RemoteTarget2 on $Computer FAILED" | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
} | |
$eventLogFileSize = (Get-Item $path | Measure-Object -property length -sum) | |
$eventLogFileSize = "{0:N0}" -f ($eventLogFileSize.sum / 1MB) | |
If ([int]$eventLogFileSize -ge 1000) { | |
$Subject = "EventLog backup size greater than 1000MB on $Computer " | |
$Body = "EventLog size is: " + $eventLogFileSize + "MB" | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
} | |
$Message = "Summary of Event Log Backup: `n`nBackupStartTime: $BackupStartTime `nBackupEndTime: $BackupEndTime `nErrBackup: $ErrBackup `nClearStartTime: $ClearStartTime `nClearEndTime: $ClearEndTime `nErrClear: $errClear `nStart Copy Time1: $startCopyTime1 `nEnd Copy Time1: $endCopyTime1 `nErrCopy1: $ErrCopy1 `nStart Copy Time2: $startCopyTime2 `nEnd Copy Time2: $endCopyTime2 `nErrCopy2: $ErrCopy2 `nEvent Log File Size MB: $eventLogFileSize" | |
write-eventlog -logname Application -source BackupEventLog -eventID 1337 -entrytype Information -message $Message -category 1337 | |
$Subject = "Summary of Event Log Backup on $Computer " | |
$Body = $Message | |
$smtp.send($Sender, $Recipients, $Subject, $Body) | |
DeleteOldEventLogs | |
} | |
################################################################################################################################################################################################################################################ | |
# *** Entry Point To Script *** | |
Clear-Host | |
$timeFormat = "HH:mm:ss" | |
$dateFormat = "yyMMdd" | |
$date = Get-Date -Format $dateFormat | |
$computer = $env:computerName | |
# | |
$smtp = new-object system.net.mail.smtpclient -argumentlist smtp.oholics.net | |
$Sender = "senderaccount@oholics.net" | |
$Recipients = "jon@oholics.net,helpdesk@oholics.net" | |
# | |
If (![system.diagnostics.eventlog]::SourceExists(“BackupEventLog”)) { | |
[system.diagnostics.EventLog]::CreateEventSource(“BackupEventLog”, “Application”) | |
} | |
$LocalTarget = "C:\Event_Logs" | |
$RemoteTarget1 = "\\archive01.oholics.net\eventlogs$" | |
$RemoteTarget2 = "\\archive02.oholics.net\eventlogs$" | |
Get-BackUpFolder |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment