none
Script para salvar logs de eventos de segurança a cada 8 horas e com a data e hora do arquivo RRS feed

  • Pergunta

  • Amigos do technet,

    Preciso de um script em que eu consiga salvar meus logs de eventos de segurança dos meus Domain Controllers a cada, sei lá, 8 horas (6 horas, 12 horas, enfim, eu preciso ver direitinho de quando em quando os logs são sobrepostos no Event Viewer), e que o nome do arquivo desses logs contenham o nome do servidor, e a data e hora em que o arquivo foi salvo. É possível?

    Desde já agradeço a ajuda.

    Abraços pra todos.

    sexta-feira, 20 de junho de 2014 17:50

Respostas

  • Edu,

    Você salvou o arquivo como .BAT e na verdade ele é um VBScript (.VBS)


    Fábio de Paula Junior

    • Marcado como Resposta Edu_mith quarta-feira, 25 de junho de 2014 16:22
    quarta-feira, 25 de junho de 2014 13:49
    Moderador
  • Ba Edu

    Veja que alem de salvar como vbs tche, tem alguns campos que vc tem que modificar tche.

        

    strComputer="COMPUTER_NAME"

    objDir2="\\server\share\"& strComputer

    E uma pasta que vc tem que criar tche, ou alterar a linha para o nome da pasta aonde vai salvar.

    C:\EVT

    • Marcado como Resposta Edu_mith quarta-feira, 25 de junho de 2014 16:22
    quarta-feira, 25 de junho de 2014 15:35
  • Edu,

    Veja que no final do script em uma função chamada dateStamp, fiz algumas alterações nela, veja se resolve o seu caso.

    Function dateStamp(ByVal dt)
            Dim y, m, d, Min, Hor
            y = Year(dt)
            m = Month(dt)
            If Len(m) = 1 Then m = "0" & m
            d = Day(dt)
            If Len(d) = 1 Then d = "0" & d
    		
    	Hor = Hour(dt)
    	if Len(Hor) = 1 then Hor = "0" & Hor
    		
    	Min = Minute(dt)
    	if Len(Min) = 1 then Min = "0" & Min
    		
    		
            dateStamp = y & m & d & "_" & Hor & Min
    End Function


    Fábio de Paula Junior

    • Marcado como Resposta Edu_mith quarta-feira, 25 de junho de 2014 19:13
    quarta-feira, 25 de junho de 2014 17:45
    Moderador

Todas as Respostas

  • Edu.

    Boa tarde.

    Creio que os dois links abaixo conseguem lhe ajudar tche, vc pode colocar no agendador de tarefas do Server, para executar nos períodos que vc deseja tche.

    http://community.spiceworks.com/scripts/show/466-event-log-archive-script

    http://community.spiceworks.com/scripts/show/117-archive-windows-events

    sexta-feira, 20 de junho de 2014 18:09
  • Opa gaúcho boa tarde!

    Então, fiz os testes com ambos os scripts e infelizmente não rodaram aqui...apareceu um monte de erros...obrigado pela ajuda companheiro!

    sexta-feira, 20 de junho de 2014 19:24
  • E quais seriam estes erros?

    Fábio de Paula Junior

    sexta-feira, 20 de junho de 2014 20:25
    Moderador
  • Fábio bom dia,

    Segue abaixo os erros que ocorrem. Veja que o script não encontra o comando e "quebra" em vários prompts:

    C:\Temp>e.bat
     
    C:\Temp>'#======================================================================
    ========
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#======================================================================
    ========
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  SCRIPT.........:  logArchive.vbs
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  AUTHOR.........:  Joe Glessner
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  VERSION........:  1.0
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  DATE...........:  30JUL07
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  LICENSE........:  Freeware
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  REQUIREMENTS...:
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  DESCRIPTION....:  This script backs up all of the event logs on the
     
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#                    designated computer, to the specified file server.
     
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#                    Optionally this script can also clear the event lo
    gs once
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#                    they are archived.
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  NOTES..........:
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  CUSTOMIZE......:  Make changes to the configuration section to custo
    mize for
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#                    your environment.
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#======================================================================
    ========
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  REVISED BY.....:
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  EMAIL..........:
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  REVISION DATE..:
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  REVISION NOTES.:
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#======================================================================
    ========
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#======================================================================
    ========
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'**Start Encode**
    ''**Start' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#======================================================================
    ========
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  START OF SCRIPT
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#======================================================================
    ========
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'Option Explicit
    ''Option' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'On Error Resume Next
    ''On' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#----------------------------------------------------------------------
    ----
    ''#--------------------------------------------------------------------------' i
    s not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  SCRIPT CONFIGURATION SECTION
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#----------------------------------------------------------------------
    ----
    ''#--------------------------------------------------------------------------' i
    s not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  OPTIONS:
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#              strComputer = The name of the computer that generated th
    e
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#                            event logs (e.g. fs01 - use "." for the lo
    cal
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#                            machine (must use the actual computer name
     if
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#                            UAC is turned on.
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#              objDir2 = The destination directory on the file server.
     
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#              clearEVTLogs = "No" does not clear the event logs. "Yes"
     
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#                             will clear the event logs once the curren
    t
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#                             logs are archived.
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#----------------------------------------------------------------------
    ----
    ''#--------------------------------------------------------------------------' i
    s not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>Dim strComputer, objDir2
    'Dim' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>strComputer = "COMPUTER_NAME"
    'strComputer' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>objDir2 = "\\server\share\"   & strComputer
    'objDir2' is not recognized as an internal or external command,
    operable program or batch file.
    'strComputer' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>clearEVTLogs = "No"
    'clearEVTLogs' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#----------------------------------------------------------------------
    ----
    ''#--------------------------------------------------------------------------' i
    s not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  Define Remaining Variables
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#----------------------------------------------------------------------
    ----
    ''#--------------------------------------------------------------------------' i
    s not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>Dim current: current = Now
    'Dim' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>Dim strDateStamp: strDateStamp = dateStamp(current)
    'Dim' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>Dim objDir1: objDir1 = "\\"   & strComputer   & "\c$\EVT"
    'Dim' is not recognized as an internal or external command,
    operable program or batch file.
    'strComputer' is not recognized as an internal or external command,
    operable program or batch file.
    The system cannot find the path specified.
     
    C:\Temp>'#----------------------------------------------------------------------
    ----
    ''#--------------------------------------------------------------------------' i
    s not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#  Ensure that the scratch directory exists on the source computer.
    ''#' is not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>'#----------------------------------------------------------------------
    ----
    ''#--------------------------------------------------------------------------' i
    s not recognized as an internal or external command,
    operable program or batch file.
     
    C:\Temp>Set filesys=CreateObject("Scripting.FileSystemObject")
    Then was unexpected at this time.
     
    C:\Temp>    If Not filesys.FolderExists(objDir1) Then

    Abraços e obrigado.

    quarta-feira, 25 de junho de 2014 13:35
  • Edu,

    Você salvou o arquivo como .BAT e na verdade ele é um VBScript (.VBS)


    Fábio de Paula Junior

    • Marcado como Resposta Edu_mith quarta-feira, 25 de junho de 2014 16:22
    quarta-feira, 25 de junho de 2014 13:49
    Moderador
  • Ba Edu

    Veja que alem de salvar como vbs tche, tem alguns campos que vc tem que modificar tche.

        

    strComputer="COMPUTER_NAME"

    objDir2="\\server\share\"& strComputer

    E uma pasta que vc tem que criar tche, ou alterar a linha para o nome da pasta aonde vai salvar.

    C:\EVT

    • Marcado como Resposta Edu_mith quarta-feira, 25 de junho de 2014 16:22
    quarta-feira, 25 de junho de 2014 15:35
  • Fabio, Marcelo,

    É verdade, me perdoem a falha...eu confundi com o segundo link, onde o script é .bat. O script é ótimo, porém preciso alterá-lo da seguinte forma:

    - Ele salva o arquivo apenas com a data. Se possível, precisaria que salvasse também com a hora em que ele foi executado, pois os logs, principalmente os de segurança, sobrescrevem durante o dia mesmo, devido à quantidade de eventos (já que tem logs de auditoria inclusos);

    - Ele salva os arquivos tanto no próprio servidor quanto num caminho de rede. Pra mim, salvando apenas no caminho de rede (no meu File Server especificamente) já me atende.

    É difícil customizar o script pra atender essas alterações

    Obrigado pela ajuda de vocês!

    abraços.

    quarta-feira, 25 de junho de 2014 16:38
  • Edu,

    Veja que no final do script em uma função chamada dateStamp, fiz algumas alterações nela, veja se resolve o seu caso.

    Function dateStamp(ByVal dt)
            Dim y, m, d, Min, Hor
            y = Year(dt)
            m = Month(dt)
            If Len(m) = 1 Then m = "0" & m
            d = Day(dt)
            If Len(d) = 1 Then d = "0" & d
    		
    	Hor = Hour(dt)
    	if Len(Hor) = 1 then Hor = "0" & Hor
    		
    	Min = Minute(dt)
    	if Len(Min) = 1 then Min = "0" & Min
    		
    		
            dateStamp = y & m & d & "_" & Hor & Min
    End Function


    Fábio de Paula Junior

    • Marcado como Resposta Edu_mith quarta-feira, 25 de junho de 2014 19:13
    quarta-feira, 25 de junho de 2014 17:45
    Moderador
  • Fábio tudo bem?

    Obrigado pela resposta! É isso mesmo! Obrigado!

    Abraço!

    quarta-feira, 25 de junho de 2014 19:14