Answered by:
Remote collect .evtx security audit logs

-
Hello,
I'm wondering if anyone has ever posted a script such as this, and if so, wondering if you have a link to it.
Environment is a Server 2003 Ent DC backend and Windows 7 Ent workstations.
Looking for a script that would do the following:
1 - Can be be executed on a workstation through something like SCCM
2 - When it runs, collects the Security Audit Logs from each workstation and puts it on a network share location, appending the name of the workstation to the file name for easy identification
3 - Deletes the collected audit logs from the workstation once collected
I'm not broadly knowledgeable about scripting at all, and any help performing this operation would be greatly appreciated. I am trying to research this on the web but much of the information is not very clear to a non-script oriented person such as myself.
At one point we had a third party utility that did this and ran great on XP workstations, but the vendor has not updated it for the Windows 7 environment. Now we are stuck manually logging into workstations to collect audit logs which is very slow and painful.
Thanks in advance for any advice, tips or suggestions.
Question
Answers
-
You could use the psloglist utility to get this done for Windows XP / 200x
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx
Regards Sivakarthi
- Marked as answer by Highspeedlane Thursday, July 25, 2013 12:00 AM
All replies
-
I recommend a couple of things:
1. Purchase a log management utility.
2. Hire a consultant to assist you in designing and implementing this.
3. Look here: http://gallery.technet.microsoft.com/
4. Start here: http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx
¯\_(ツ)_/¯
-
This works if you have Windows 7 or Server 2008:
This will archive the Security log file, append the computer name and date, then deletes log file on computer:
>wevtutil cl Security /bu:\\path-to-network-share\%computername%_%date:~10,4%%date:~4,2%%date:~7,2%.evtxXP and Server 2003 is substantially more complicated and above my ability to figure out how to script.
Now I have to get it to deploy using SCCM. It worked fine logged in with my domain admin account.
Thanks.
-
You could use the psloglist utility to get this done for Windows XP / 200x
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx
Regards Sivakarthi
- Marked as answer by Highspeedlane Thursday, July 25, 2013 12:00 AM
-
You could use the psloglist utility to get this done for Windows XP / 200x
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx
Regards Sivakarthi
Hey thanks. That's going to come in handy!