Security – Windows Server 2008 what is the proper way to export or backup security event log

Securitywindows-event-logwindows-server-2008

Using WEVTUTIL.EXE to export the Windows Server 2008 Security event log, I get a permission problem (I have administrator privileges):

c:> wevtutil epl security test.evtx

"Failed to export log security. Access is denied."

I'm trying to write a script to backup and clear the Application, Security, Setup and System event logs. The Security log is the only one giving problems. How do I backup and clear it? I would like to know the "proper" way to do this, because I don't want to upset the security people (auditors, forensics, etc).

Best Answer

Either by using Group Policy or the local policy on the machine, go to

Computer Configuration -> 
  Administrative Templates -> 
    Windows Components -> 
      Event Log Service -> 
         [Application|Security|Setup|System]

And configure the setting "Back up log automatically when full."

This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.

If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.

If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.

If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.

Then all your script needs to do is periodically harvest the directory for archived event log files and transfer them to your network share.

Best Answer

Related Solutions

Recurring event log corruption on Windows Server 2008

Windows Event Log – How to Manage Windows Event Log Rotation

Related Topic