Batch File For Log Backup & Clear

StackOverflow https://stackoverflow.com/questions/19439340

  •  01-07-2022
  •  | 
  •  

Question

Summary: I'm working on a batch script file to backup Windows Event Logs to a mapped network drive. I used netlogon to establish the channel to the network drive every time the script runs. I want to backup the 'Application, Security, & System' logs specifically. I want to backup the logs every 60 days to the same directory but I do not want to overwrite existing log files with the same name. So I found that I can append the date to the individual log file-name. Once the desired logs are backed up, I want to clear the logs on the current computer.

Here is what I have so far:

I don't need much more than a command to backup the eventlogs every 60 days where they don't overwrite each other in the destination directory. I think I'll end up using the top script.

@echo off
net use y: \\server_name\shared_folder_name /USER:admin password /persistent:yes
wmic nteventlog where filename='application' backupeventlog C:\Users\Public\Desktop\Application.evt
wmic nteventlog where filename='security' backupeventlog C:\Users\Public\Desktop\Security.evt
wmic nteventlog where filename='system' backupeventlog C:\Users\Public\Desktop\System.evt
wmic nteventlog where filename='application' cleareventlog
wmic nteventlog where filename='system' cleareventlog
wmic nteventlog where filename='security' cleareventlog
exit

@echo off
XCOPY C:\Windows\System32\winevt\Logs\Application.evtx Y:\Analysis\Logs\ /T /E /Y /C
XCOPY C:\Windows\System32\winevt\Logs\Security.evtx Y:\Analysis\Logs\ /T /E /Y /C
XCOPY C:\Windows\System32\winevt\Logs\System.evtx Y:\Analysis\Logs\ /T /E /Y /C
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
exit
Was it helpful?

Solution

Maybe schedule this every 60 days - it writes the files with a datestamp already.

@echo off
net use y: \\server_name\shared_folder_name /USER:admin password /persistent:yes

for /f "tokens=2 delims==" %%a in ('wmic OS Get localdatetime /value') do set "dt=%%a"
set "YY=%dt:~2,2%" & set "YYYY=%dt:~0,4%" & set "MM=%dt:~4,2%" & set "DD=%dt:~6,2%"
set "HH=%dt:~8,2%" & set "Min=%dt:~10,2%" & set "Sec=%dt:~12,2%"

set "datestamp=%YYYY%%MM%%DD%"
set "target=C:\Users\Public\Desktop"

wmic nteventlog where filename='application' backupeventlog  "%target%\Application-%datestamp%.evt"
wmic nteventlog where filename='security' backupeventlog "%target%\Security-%datestamp%.evt"
wmic nteventlog where filename='system' backupeventlog "%target%\System-%datestamp%.evt"
wmic nteventlog where filename='application' cleareventlog
wmic nteventlog where filename='system' cleareventlog
wmic nteventlog where filename='security' cleareventlog
exit
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top