I'm wondering if anyone has ever posted a script such as this, and if so, wondering if you have a link to it.
Environment is a Server 2003 Ent DC backend and Windows 7 Ent workstations.
Looking for a script that would do the following:
1 - Can be be executed on a workstation through something like SCCM
2 - When it runs, collects the Security Audit Logs from each workstation and puts it on a network share location, appending the name of the workstation to the file name for easy identification
3 - Deletes the collected audit logs from the workstation once collected
I'm not broadly knowledgeable about scripting at all, and any help performing this operation would be greatly appreciated. I am trying to research this on the web but much of the information is not very clear to a non-script oriented person such as myself.
At one point we had a third party utility that did this and ran great on XP workstations, but the vendor has not updated it for the Windows 7 environment. Now we are stuck manually logging into workstations to collect audit logs which is very slow and painful.
Thanks in advance for any advice, tips or suggestions.
I recommend a couple of things:
1. Purchase a log management utility.
2. Hire a consultant to assist you in designing and implementing this.
3. Look here: http://gallery.technet.microsoft.com/
4. Start here: http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx
This works if you have Windows 7 or Server 2008:
This will archive the Security log file, append the computer name and date, then deletes log file on computer:
>wevtutil cl Security /bu:\\path-to-network-share\%computername%_%date:~10,4%%date:~4,2%%date:~7,2%.evtx
XP and Server 2003 is substantially more complicated and above my ability to figure out how to script.
Now I have to get it to deploy using SCCM. It worked fine logged in with my domain admin account.
You could use the psloglist utility to get this done for Windows XP / 200x
Hey thanks. That's going to come in handy!