Moving Eventlogs to S3
This can also be done to any remote location. And in the code below, I export as CSV, but you can also move as CAB files, but I prefer to be able to natively read these files without extracting them first. On most servers, this is a scheduled task that is set to run every hour because how fast our Security logs fill up.
Here is a sample of "get-eventlog -list" output
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
20,480 0 OverwriteAsNeeded 25 Application
20,480 0 OverwriteAsNeeded 0 HardwareEvents
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
20,480 0 OverwriteAsNeeded 225,262 Security
20,480 0 OverwriteAsNeeded 45 System
15,360 0 OverwriteAsNeeded 450 Windows PowerShell
Actual Code to backup Eventlogs
#####################
#
# Export all eventlogs as CSV
# Clears logs after export
#
#####################
#This command will gather all the available Logs (not the actual logs themselves)
$evLogs = get-eventlog -list
$currentTime = $(get-date)
$thisDate = $currentTime.GetDateTimeFormats()[5]
#get date/time information and pad the numbers
$year = ($currentTime.Year | out-string).trim().padleft(4,"0")
$month = ($currentTime.Month | out-string).trim().padleft(2,"0")
$day = ($currentTime.Day | out-string).trim().padleft(2,"0")
$hour = ($currentTime.hour | out-string).trim().padleft(2,"0")
$min = ($currentTime.Minute | out-string).trim().padleft(2,"0")
try{
if((test-path "e:") -eq $false){
$rootDir = "c:\temp"
}else{
$rootDir = "e:\temp"
}
if((test-path $rootDir) -eq $false){
mkdir $rootDir -Force
}
##This is my target bucket
$targetBucket = "s3://my-server-logs"
$targetPrefix = $targetBucket + "/" + $env:COMPUTERNAME + "/" + $year + "/" + $month + "/" + $day
foreach($log in $evLogs){
if($log.entries.count -gt 0){
$filename = $thisdate + "-" + $hour + $min + "-" + $log.log + ".csv"
$sourcefilename = $rootDir + "\" + $filename
$targetfilename = $targetPrefix + "/" + $filename
$events = get-eventlog -log $log.Log
$events | Export-Clixml $sourcefilename
if(Test-Path $sourcefilename){
Clear-EventLog -logname $log.Log
aws s3 mv $sourcefilename $targetfilename
}
}
}
}catch{
##Put error catching here...
}
No comments:
Post a Comment