Created
March 19, 2016 08:44
-
-
Save micmaher/7e0f2592e70bb953e7be to your computer and use it in GitHub Desktop.
Move Security Logs to Archive Point
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.DESCRIPTION | |
Move Security Logs to Archive Point | |
.REQUIREMENTS | |
1. Create Shares | |
Invoke-Command -ComputerName dc1,dc3,dc4,dc5,dc2 -ScriptBlock { | |
New-SmbShare Seclog$ -Path E:\Seclog -fullaccess "CONTOSO\Domain Admins"} | |
2. Copy script to DCs | |
Invoke-Command -ComputerName dc1,dc3,dc4,dc5,dc2 -ScriptBlock { | |
copy '\\dc1\c$\scripts\archiveSecLog.ps1' c:\scripts} | |
3. Create gMSA for Sched Task | |
New-ADServiceAccount -name gMSASchTaskDC -DNSHostName dc1.contoso.com -PrincipalsAllowedToDelegateToAccount "Domain Controllers" | |
4. Setup Scheduled Task | |
Invoke-Command -ComputerName dc1,dc3,dc4,dc5,dc2 -ScriptBlock{ | |
$action = New-ScheduledTaskAction -Execute "Powershell.exe" -Argument " -NoProfile -WindowStyle Hidden -command powershell c:\scripts\archiveSecLog.ps1" | |
$trigger = New-ScheduledTaskTrigger -At 9am -Daily -RandomDelay (New-TimeSpan -Hours 2) | |
$principal = New-ScheduledTaskPrincipal -UserID AD\gmsaTaskSchDC$ -LogonType Password -RunLevel Highest | |
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "SecLog" -Description "Daily Archive Seclog" -Principal $principal | |
Install-AdServiceAccount gMSATaskSchDC$} | |
5. Allow the gMSA to Logon as a Service and a Batch job | |
#> | |
Function Write-Log | |
{ | |
Param ([string]$logstring) | |
Add-content $Logfile -value $logstring | |
} | |
Function Archive-Logs{ | |
[CmdletBinding()] | |
Param | |
( | |
# Archive older than 3 days and delete older than 90 days | |
[Parameter(mandatory=$true, | |
HelpMessage="Specify the computer name you want to transfer the logs to", Position=0)] | |
[String]$partnerServer, | |
[String]$arcPath='E:\Seclog\', | |
[int]$intArchive=3, | |
[int]$intDelete=90 | |
) | |
$evtLogPath = "C:\Windows\System32\winevt\Logs\" | |
$forArchival = (Get-Date).AddDays(-$intArchive) # Older than 3 days | |
$forDeletion = (Get-Date).AddDays(-$intDelete) # Older than 90 days | |
$logFile = $arcPath + "archiver.log" | |
$transferDir = $arcPath + "Transfer\" | |
"Archival date:" + $forArchival | Out-File $logFile | |
"Deletion date:" + $forDeletion | Out-File $logFile -append | |
# Add .NET 4.5 Assembly to enable zipping (PoSh 5 will support zip) | |
Add-Type -assembly "system.io.compression.filesystem" | |
# Check directory structure | |
If(!(Test-path $arcPath)) {Write-Log "Path not found:" $arcPath | |
Exit} | |
If(!(Test-path $transferDir)) {Write-Log "Path not found:" $transferDir | |
Exit} | |
If(!(Test-path $partnerServer)) {Write-Log "Path not found:" $partnerServer | |
Exit} | |
# Clear up local archive folder (E:\Seclog) | |
$delFiles = Get-ChildItem $arcPath | Where-Object { $_.lastwritetime -le $forDeletion } | |
# Delete Security logs from Archive folders if over 90 days | |
foreach ($filetoDel in $delFiles){ | |
$filetoDelPath = $arcPath + $filetoDel.Name | |
Write-Log "Deleting" $filetoDelPath | Out-File $logFile -append | |
Remove-Item $filetoDelPath | |
} | |
# Move Security logs over 3 days old to archive partner | |
$arcFiles = Get-ChildItem $evtLogPath | Where-Object { $_.lastwritetime -le $forArchival } | | |
where-object {$_.name -match "rchive-Se"} | |
# Rename and move files | |
foreach ($filetoArc in $arcFiles){ | |
$oldName = $evtLogPath + $filetoArc.Name | |
$newName = $env:COMPUTERNAME + "-" + $filetoArc.Name | |
Write-Log "Renaming" $oldName "to" $newName | |
Rename-Item $oldName -NewName $newName | |
$renamed = $evtLogPath + $newName | |
Write-Log "Moving" $renamed "to" $transferDir | |
Move-Item $renamed -Destination $transferDir | |
} | |
# Clear up local Security log folder (C:\Windows\System32\winevt\Logs) | |
$delEvtFiles = Get-ChildItem $evtLogPath | Where-Object { $_.lastwritetime -le $forDeletion } | | |
where-object {$_.name -match "rchiv-Se"} | |
# Delete Security logs from Event Log folders if over 90 days | |
foreach ($evtfiletoDel in $delEvtFiles){ | |
$evtfiletoDelPath = $evtLogPath + $evtfiletoDel.Name | |
Write-Log "Deleting" $evtfiletoDelPath | Out-File $logFile -append | |
Remove-Item $evtfiletoDelPath | |
} | |
# Zip transfer folder and move to partner | |
$readyForTransfer = $transferDir + $newName | |
Write-Log "Checking for files to zip in" $transferDir | |
If(Test-path $readyForTransfer){ | |
Write-Log "Compressing" $transferDir | |
$newName = $newName.Replace(".evtx", "") | |
$zipFile = $arcPath + "\" + $newName + ".zip" | |
[io.compression.zipfile]::CreateFromDirectory($transferDir, $zipFile) | |
Write-Log "Transferring zipped file to" $partnerServer | |
Move-Item $zipFile -Destination $partnerServer | |
} | |
Else{ | |
Write-Log "No files found in" $transferDir | |
} | |
$delTransFiles = Get-ChildItem $transferDir | |
# Delete Security logs from Transfer folder | |
foreach ($transFiletoDel in $delTransFiles){ | |
$transFiletoDelPath = $transferDir + $transFiletoDel.Name | |
Write-Log "Deleting" $transFiletoDelPath | Out-File $logFile -append | |
Remove-Item $transFiletoDelPath | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment