Backup NT Security Log

TheMSsForum.com: The Microsoft Software Forum

I am trying to use the below script to backup, compress and ship the
local security log using MOM 2005. If I don't add in the compress
logic it works fine. Can you one assist me? I want to accomplish two
things that are not in the script by defult: compression and adding
the time to the file name. Please ignore any references to MOM within
the script.

Original script came from Andrzej's @ http://blogs.technet.com/alipka/archive/2006/04/09/424757.aspx

Thanks for your time and help in this matter.

strComputer = "."
'place for temporary storage of backed up logs
strLogTempPlace = ScriptContext.Parameters.Get("LogTemp")
'server SMB share to which you want to transfer backed up logs (MOM
agent action account mast have write permissions on NTFs and share
level
strLogDestPlace = ScriptContext.Parameters.Get("LogDest")
strError = 1
strInformational = 4
strEventMessage = "Backup of EventLogs has been done to files:"

intEventErrorID = 112
intEventTypeError = 1
intEventTypeSuccess = 0
strEventSrc = "Backup Logs Script"

strYear = DatePart("yyyy",DateAdd("d",-1,Date))
strMonth = DatePart("m",DateAdd("d",-1,Date))
If Len(strMonth) = 1 Then strMonth = "0" & strMonth
strDay = DatePart("d",DateAdd("d",-1,Date))
If Len(strDay) = 1 Then strDay = "0" & strDay

Set objWMIService = GetObject("winmgmts:
{impersonationLevel=impersonate,(Backup,Security)}!\\" & strComputer &
"\root\cimv2")

' Check computer name
Set colName = objWMIService.ExecQuery("Select * from
Win32_ComputerSystem")
For Each objName in colName
strCompName = objName.Name
Next

' get event logs
Set colLogFiles = objWMIService.ExecQuery("Select * from
Win32_NTEventLogFile where LogFileName='Security'")

For Each objLogfile in colLogFiles

' create file name
strFileName = strCompName & "_" & Left(objLogfile.LogfileName,3) &
strYear & strMonth & strDay & ".evt"

' copy logs to file
errBackupLog = objLogFile.BackupEventLog(strLogTempPlace &
strFileName)

If errBackupLog <> 0 Then
CreateEvent intEventErrorID, intEventTypeError, strEventSrc, "Can
not back up " & objLogfile.LogfileName & " EventLog." & "Check server
for errors."
ScriptContext.Quit
Else
strEventMessage = strEventMessage & Chr(13) & strFileName
objLogFile.ClearEventLog()
End If
Next

set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
set objFile = objWMI.Get("Cim_Datafile='" & strCompName & "_*" &
strYear & strMonth & strDay & ".evt" & "'")
WScript.Echo objFile.Name
intRC = objFile.Compress

If strLogDestPlace <> "" Then
Set fso = CreateObject("Scripting.FileSystemObject")
fso.MoveFile strLogTempPlace & strCompName & "_*" & strYear &
strMonth & strDay & ".evt", strLogDestPlace
strEventMessage = strEventMessage & chr(13) & "Logs are copied to "
& strLogDestPlace
End If

'generate MOM event
CreateEvent intEventErrorID, intEventTypeSuccess, strEventSrc,
strEventMessage

'event create subroutine
Sub
CreateEvent(intEventNumber,intEventType,strEventSource,strEventMessage)
Set objEvent = ScriptContext.CreateEvent()
objEvent.EventNumber = intEventNumber
objEvent.EventType = intEventType
objEvent.EventSource = strEventSource
objEvent.Message = strEventMessage
ScriptContext.Submit objEvent
End Sub
Top

RE: Backup NT Security Log by urkec

urkec
Thu May 10 10:34:00 CDT 2007

You need two backslashes in your path to use with objWMI.Get, you can use
Replace function for that.

You already have a variable with the file name so you can use something like
this

strLogTempPlace = Replace (strLogTempPlace, "\", "\\")
set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
set objFile = objWMI.Get("Cim_Datafile.Name='" & strLogTempPlace&
strFileName & "'")
WScript.Echo objFile.Name
intRC = objFile.Compress

With Get function you need to use Cim.Datafile.Name = Path & File Name.

Hope this helps.


--
urkec


"dnwurtz@gmail.com" wrote:

> I am trying to use the below script to backup, compress and ship the
> local security log using MOM 2005. If I don't add in the compress
> logic it works fine. Can you one assist me? I want to accomplish two
> things that are not in the script by defult: compression and adding
> the time to the file name. Please ignore any references to MOM within
> the script.
>
> Original script came from Andrzej's @ http://blogs.technet.com/alipka/archive/2006/04/09/424757.aspx
>
> Thanks for your time and help in this matter.
>
> strComputer = "."
> 'place for temporary storage of backed up logs
> strLogTempPlace = ScriptContext.Parameters.Get("LogTemp")
> 'server SMB share to which you want to transfer backed up logs (MOM
> agent action account mast have write permissions on NTFs and share
> level
> strLogDestPlace = ScriptContext.Parameters.Get("LogDest")
> strError = 1
> strInformational = 4
> strEventMessage = "Backup of EventLogs has been done to files:"
>
> intEventErrorID = 112
> intEventTypeError = 1
> intEventTypeSuccess = 0
> strEventSrc = "Backup Logs Script"
>
> strYear = DatePart("yyyy",DateAdd("d",-1,Date))
> strMonth = DatePart("m",DateAdd("d",-1,Date))
> If Len(strMonth) = 1 Then strMonth = "0" & strMonth
> strDay = DatePart("d",DateAdd("d",-1,Date))
> If Len(strDay) = 1 Then strDay = "0" & strDay
>
> Set objWMIService = GetObject("winmgmts:
> {impersonationLevel=impersonate,(Backup,Security)}!\\" & strComputer &
> "\root\cimv2")
>
> ' Check computer name
> Set colName = objWMIService.ExecQuery("Select * from
> Win32_ComputerSystem")
> For Each objName in colName
> strCompName = objName.Name
> Next
>
> ' get event logs
> Set colLogFiles = objWMIService.ExecQuery("Select * from
> Win32_NTEventLogFile where LogFileName='Security'")
>
> For Each objLogfile in colLogFiles
>
> ' create file name
> strFileName = strCompName & "_" & Left(objLogfile.LogfileName,3) &
> strYear & strMonth & strDay & ".evt"
>
> ' copy logs to file
> errBackupLog = objLogFile.BackupEventLog(strLogTempPlace &
> strFileName)
>
> If errBackupLog <> 0 Then
> CreateEvent intEventErrorID, intEventTypeError, strEventSrc, "Can
> not back up " & objLogfile.LogfileName & " EventLog." & "Check server
> for errors."
> ScriptContext.Quit
> Else
> strEventMessage = strEventMessage & Chr(13) & strFileName
> objLogFile.ClearEventLog()
> End If
> Next
>
> set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
> set objFile = objWMI.Get("Cim_Datafile='" & strCompName & "_*" &
> strYear & strMonth & strDay & ".evt" & "'")
> WScript.Echo objFile.Name
> intRC = objFile.Compress
>
> If strLogDestPlace <> "" Then
> Set fso = CreateObject("Scripting.FileSystemObject")
> fso.MoveFile strLogTempPlace & strCompName & "_*" & strYear &
> strMonth & strDay & ".evt", strLogDestPlace
> strEventMessage = strEventMessage & chr(13) & "Logs are copied to "
> & strLogDestPlace
> End If
>
> 'generate MOM event
> CreateEvent intEventErrorID, intEventTypeSuccess, strEventSrc,
> strEventMessage
>
> 'event create subroutine
> Sub
> CreateEvent(intEventNumber,intEventType,strEventSource,strEventMessage)
> Set objEvent = ScriptContext.CreateEvent()
> objEvent.EventNumber = intEventNumber
> objEvent.EventType = intEventType
> objEvent.EventSource = strEventSource
> objEvent.Message = strEventMessage
> ScriptContext.Submit objEvent
> End Sub
>
>
Top