managing auditing logs

  • Thread starter Thread starter inenewbl
  • Start date Start date
I

inenewbl

Guest
Hi all. Currently my company's server has enabled alot of auditing which
makes the security log very big. Hence i would like to know if its possible
to automate the task copying the content of security log to a separate file
before deleting the contents inside the security log. The reason is i would
like to automate this task every week so as to reduce the size of security
log, as it would be very difficult to find audit events of a particular day
in a very huge security log file. If there are better ways of managing the
security logs or auditing, please share with me. Thks in advance.
 
Re: managing auditing logs

Hello inenewbl,

It is possible, unfortunately i have the script not at home. Can post it
tomorrow. It makes a dailey backup to a folder and deletes the security log
content automatically. Run's as a scheduled task with a user account that
has special rights on all of my servers.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Hi all. Currently my company's server has enabled alot of auditing
> which makes the security log very big. Hence i would like to know if
> its possible to automate the task copying the content of security log
> to a separate file before deleting the contents inside the security
> log. The reason is i would like to automate this task every week so as
> to reduce the size of security log, as it would be very difficult to
> find audit events of a particular day in a very huge security log
> file. If there are better ways of managing the security logs or
> auditing, please share with me. Thks in advance.
>
 
Re: managing auditing logs

Hello inenewbl,

Copy this in a textfile and save it as .vbs (without the lines) and run it
on the machine as a scheduled task. For the output file you have to create
a folder on c:\SecurityLog in this case and the useraccount should have modify
permission in this folder.

-----------------------------------------------------------------------------------------------

;The user account used for this script must have this rights/privileges
;Generate security audits
;Back up files and directories
;Log on as a batch job
;Manage auditing and security log

strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" &
Day(Now),2) & "-"
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate &"security.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The Security event log could not be backed up."
Else
objLogFile.ClearEventLog()
End If
Next
-------------------------------------------------------------------------------------------------------


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Hi all. Currently my company's server has enabled alot of auditing
> which makes the security log very big. Hence i would like to know if
> its possible to automate the task copying the content of security log
> to a separate file before deleting the contents inside the security
> log. The reason is i would like to automate this task every week so as
> to reduce the size of security log, as it would be very difficult to
> find audit events of a particular day in a very huge security log
> file. If there are better ways of managing the security logs or
> auditing, please share with me. Thks in advance.
>
 
Re: managing auditing logs

Hi Weber.
This is exactly what i need.
Thank you very much!!
Can i know what are your reference material in learning scripting?

"Meinolf Weber" wrote:

> Hello inenewbl,
>
> Copy this in a textfile and save it as .vbs (without the lines) and run it
> on the machine as a scheduled task. For the output file you have to create
> a folder on c:\SecurityLog in this case and the useraccount should have modify
> permission in this folder.
>
> -----------------------------------------------------------------------------------------------
>
> ;The user account used for this script must have this rights/privileges
> ;Generate security audits
> ;Back up files and directories
> ;Log on as a batch job
> ;Manage auditing and security log
>
> strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" &
> Day(Now),2) & "-"
> strComputer = "."
> Set objWMIService = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _
> strComputer & "\root\cimv2")
> Set colLogFiles = objWMIService.ExecQuery _
> ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
> For Each objLogfile in colLogFiles
> errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate &"security.evt")
> If errBackupLog <> 0 Then
> Wscript.Echo "The Security event log could not be backed up."
> Else
> objLogFile.ClearEventLog()
> End If
> Next
> -------------------------------------------------------------------------------------------------------
>
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
>
> > Hi all. Currently my company's server has enabled alot of auditing
> > which makes the security log very big. Hence i would like to know if
> > its possible to automate the task copying the content of security log
> > to a separate file before deleting the contents inside the security
> > log. The reason is i would like to automate this task every week so as
> > to reduce the size of security log, as it would be very difficult to
> > find audit events of a particular day in a very huge security log
> > file. If there are better ways of managing the security logs or
> > auditing, please share with me. Thks in advance.
> >
>
>
>
 
Re: managing auditing logs

Hello inenewbl,

This script i found on a website from MS, just modified it for my environment.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Hi Weber.
> This is exactly what i need.
> Thank you very much!!
> Can i know what are your reference material in learning scripting?
> "Meinolf Weber" wrote:
>
>> Hello inenewbl,
>>
>> Copy this in a textfile and save it as .vbs (without the lines) and
>> run it on the machine as a scheduled task. For the output file you
>> have to create a folder on c:\SecurityLog in this case and the
>> useraccount should have modify permission in this folder.
>>
>> ---------------------------------------------------------------------
>> --------------------------
>>
>> ;The user account used for this script must have this
>> rights/privileges
>> ;Generate security audits
>> ;Back up files and directories
>> ;Log on as a batch job
>> ;Manage auditing and security log
>> strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" &
>> Right("0" &
>>
>> Day(Now),2) & "-"
>>
>> strComputer = "."
>>
>> Set objWMIService = GetObject("winmgmts:" _
>>
>> & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _
>>
>> strComputer & "\root\cimv2")
>>
>> Set colLogFiles = objWMIService.ExecQuery _
>>
>> ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
>>
>> For Each objLogfile in colLogFiles
>>
>> errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate
>> &"security.evt")
>>
>> If errBackupLog <> 0 Then
>>
>> Wscript.Echo "The Security event log could not be backed up."
>>
>> Else
>>
>> objLogFile.ClearEventLog()
>>
>> End If
>>
>> Next
>>
>> ---------------------------------------------------------------------
>> ----------------------------------
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>>> Hi all. Currently my company's server has enabled alot of auditing
>>> which makes the security log very big. Hence i would like to know if
>>> its possible to automate the task copying the content of security
>>> log to a separate file before deleting the contents inside the
>>> security log. The reason is i would like to automate this task every
>>> week so as to reduce the size of security log, as it would be very
>>> difficult to find audit events of a particular day in a very huge
>>> security log file. If there are better ways of managing the security
>>> logs or auditing, please share with me. Thks in advance.
>>>
 
Re: managing auditing logs

Hello inenewbl,

Here i found it:
http://www.microsoft.com/technet/scriptcenter/guide/sas_log_pcna.mspx?mfr=true

and here is the complete Scripting guide:
http://www.microsoft.com/technet/scriptcenter/guide/sagsas_overview.mspx?mfr=true


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Hi Weber.
> This is exactly what i need.
> Thank you very much!!
> Can i know what are your reference material in learning scripting?
> "Meinolf Weber" wrote:
>
>> Hello inenewbl,
>>
>> Copy this in a textfile and save it as .vbs (without the lines) and
>> run it on the machine as a scheduled task. For the output file you
>> have to create a folder on c:\SecurityLog in this case and the
>> useraccount should have modify permission in this folder.
>>
>> ---------------------------------------------------------------------
>> --------------------------
>>
>> ;The user account used for this script must have this
>> rights/privileges
>> ;Generate security audits
>> ;Back up files and directories
>> ;Log on as a batch job
>> ;Manage auditing and security log
>> strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" &
>> Right("0" &
>>
>> Day(Now),2) & "-"
>>
>> strComputer = "."
>>
>> Set objWMIService = GetObject("winmgmts:" _
>>
>> & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _
>>
>> strComputer & "\root\cimv2")
>>
>> Set colLogFiles = objWMIService.ExecQuery _
>>
>> ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
>>
>> For Each objLogfile in colLogFiles
>>
>> errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate
>> &"security.evt")
>>
>> If errBackupLog <> 0 Then
>>
>> Wscript.Echo "The Security event log could not be backed up."
>>
>> Else
>>
>> objLogFile.ClearEventLog()
>>
>> End If
>>
>> Next
>>
>> ---------------------------------------------------------------------
>> ----------------------------------
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>>> Hi all. Currently my company's server has enabled alot of auditing
>>> which makes the security log very big. Hence i would like to know if
>>> its possible to automate the task copying the content of security
>>> log to a separate file before deleting the contents inside the
>>> security log. The reason is i would like to automate this task every
>>> week so as to reduce the size of security log, as it would be very
>>> difficult to find audit events of a particular day in a very huge
>>> security log file. If there are better ways of managing the security
>>> logs or auditing, please share with me. Thks in advance.
>>>
 
Back
Top