8.11. Archiving an Event Log

Problem

You want to archive your event logs so you can retrieve them later if necessary.

Solution

Using a graphical user interface

  1. Open the Event Viewer (eventvwr.msc).

  2. In the left pane, right-click on the target event log and select Save Log File As.

  3. Browse to the location to save the file, enter a name for the file, and click Save.

Using a command-line interface

Using the wmic utility, you can call the BackupEventLog method that is available with the Win32_NTEventlogfile class:

> wmic /node:"<ServerName>" nteventlog where "Logfilename = '<LogName>'" Call 
BackupEventLog "<FilePath>"

Here is an example of backing up the Application event log:

> wmic /node:"fs01" nteventlog where "Logfilename = 'Application'" Call
BackupEventLog "E:\app_back.evt"

Using VBScript

' This code archives an event log to the specified file.
' ------ SCRIPT CONFIGURATION ------
strLog = "<LogName>"                ' e.g., Application
strBackupFile = "<FileNameAndPath>" ' e.g., c:\app_back.evt
strServer = "<ServerName>" ' e.g., fs01 (use "." for local server) ' ------ END CONFIGURATION --------- set objWMI = GetObject(_ "winmgmts:{impersonationLevel=impersonate,(Backup)}!\\" & _ strServer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _ " Logfilename = '" & strLog & "'") if colLogs.Count <> 1 then WScript.Echo "Fatal error. Number of logs found: " & colLogs.Count WScript.Quit end if for each objLog in colLogs objLog.BackupEventLog strBackupFile WScript.Echo ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.