Event Log Backup and Clearing

TheMSsForum.com: The Microsoft Software Forum

I had a requirement to create a script that backups Event Logs in text and
monitor for specific events, emailing the results to a person.

This is what I've come up with so far... the only thing I haven't done yet
is Query the eventlog before I clear it, and send the results to the email
body somehow. Any help would be appreciated.

I realize this code isn't clean, but it's my first... so don't flame me too
bad =]

-Chris


' on error resume next

dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''' Declare what computers to execute this script upon''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''


Set objNet = WScript.CreateObject( "WScript.Network" )

strFilename = "workstations.txt"

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objTextStream = objFSO.OpenTextFile(strFilename, 1)

' Start Loop

Do Until objTextStream.AtEndOfStream
strComputer = objTextStream.ReadLine


Wscript.Echo "Working on Machine " & strComputer


''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'''''''''' Create audit directories ''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Set objFSO = CreateObject("Scripting.FileSystemObject")

If not objFSO.FolderExists("Z:\scripts\audits\" & strComputer) Then
Set objFolder = objFSO.CreateFolder("Z:\scripts\audits\" & strComputer)
End If

If not objFSO.FolderExists("Z:\scripts\audits\" & strComputer & "\" &
dtmThisMonth & "-" & dtmThisDay & "-" & dtmThisYear) Then
Set objFolder = objFSO.CreateFolder("Z:\scripts\audits\" & strComputer &
"\" & dtmThisMonth & "-" & dtmThisDay & "-" & dtmThisYear)
End If



''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' '''''''''Create audit files'''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Set objFSO = CreateObject("Scripting.FileSystemObject")
' Set objFile = objFSO.CreateTextFile("Z:\scripts\audits\" & strComputer &
"\" & dtmThisMonth & "-" & dtmThisDay & "-" & dtmThisYear &
"\Application.txt")
' Set objFile = objFSO.CreateTextFile("Z:\scripts\audits\" & strComputer &
"\" & dtmThisMonth & "-" & dtmThisDay & "-" & dtmThisYear & "\Security.txt")
' Set objFile = objFSO.CreateTextFile("Z:\scripts\audits\" & strComputer &
"\" & dtmThisMonth & "-" & dtmThisDay & "-" & dtmThisYear & "\System.txt")





''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' '''''''''Open Application Log'''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
("Z:\scripts\audits\" & strComputer & "\" & dtmThisMonth & "-" &
dtmThisDay & "-" & dtmThisYear & "\ApplicationLog.txt", 8, True)

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent " _
& "Where Logfile = 'Application'")

For Each objEvent in colLoggedEvents

objTextFile.WriteLine ("==============================" & VBNewLine _
& "Category: " & objEvent.Category & VBNewLine _
& "Computer Name: " & objEvent.ComputerName & VBNewLine _
& "Event Code: " & objEvent.EventCode & VBNewLine _
& "Message: " & objEvent.Message & VBNewLine _
& "Record Number: " & objEvent.RecordNumber & VBNewLine _
& "Source Name: " & objEvent.SourceName & VBNewLine _
& "Time Written: " & objEvent.TimeWritten & VBNewLine _
& "Event Type: " & objEvent.Type & VBNewLine _
& "User: " & objEvent.User)

Next

objTextFile.Close

Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='Application'")
For Each objLogfile in colLogFiles
objLogFile.ClearEventLog()
Next





''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' '''''''''Security'''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
("Z:\scripts\audits\" & strComputer & "\" & dtmThisMonth & "-" &
dtmThisDay & "-" & dtmThisYear & "\SecurityLog.txt", 8, True)

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup, Security)}!\\" _
& strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent " _
& "Where Logfile = 'Security'")

For Each objEvent in colLoggedEvents

objTextFile.WriteLine("==============================" & VBNewLine _
& "Category: " & objEvent.Category & VBNewLine _
& "Computer Name: " & objEvent.ComputerName & VBNewLine _
& "Event Code: " & objEvent.EventCode & VBNewLine _
& "Message: " & objEvent.Message & VBNewLine _
& "Record Number: " & objEvent.RecordNumber & VBNewLine _
& "Source Name: " & objEvent.SourceName & VBNewLine _
& "Time Written: " & objEvent.TimeWritten & VBNewLine _
& "Event Type: " & objEvent.Type & VBNewLine _
& "User: " & objEvent.User)

Next
objTextFile.Close

Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='Security'")
For Each objLogfile in colLogFiles
objLogFile.ClearEventLog()
Next






''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' '''''''''System'''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
("Z:\scripts\audits\" & strComputer & "\" & dtmThisMonth & "-" &
dtmThisDay & "-" & dtmThisYear & "\SystemLog.txt", 8, True)

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent " _
& "Where Logfile = 'System'")

For Each objEvent in colLoggedEvents

objTextFile.WriteLine("==============================" & VBNewLine _
& "Category: " & objEvent.Category & VBNewLine _
& "Computer Name: " & objEvent.ComputerName & VBNewLine _
& "Event Code: " & objEvent.EventCode & VBNewLine _
& "Message: " & objEvent.Message & VBNewLine _
& "Record Number: " & objEvent.RecordNumber & VBNewLine _
& "Source Name: " & objEvent.SourceName & VBNewLine _
& "Time Written: " & objEvent.TimeWritten & VBNewLine _
& "Event Type: " & objEvent.Type & VBNewLine _
& "User: " & objEvent.User)

Next
objTextFile.Close

Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='System'")
For Each objLogfile in colLogFiles
objLogFile.ClearEventLog()
Next

Loop


''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' '''''''''Email''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''



Set objEmail = CreateObject("CDO.Message")
objEmail.From = "edit@edit.com"
objEmail.To = "edit@edit.com"
objEmail.Subject = "Audit Report for " & dtmThisMonth & "-" & dtmThisDay &
"-" & dtmThisYear
objEmail.Textbody = "Audits have been completed." & VBNewLine & VBNewLine _
& "Here are the Log-in failures" & VBNewLine & VBNewLine

objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = _
"edit.server.com"
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
objEmail.Send
Top