BradV
(Seasoned Scripter)
2012-09-07 03:12 PM
Backup system logs

OK, I've been avoiding this for a while, but need to get to it. \:\)

I have about 30 Windows 2008 R2 servers. I am in a security group at the domain level that is part of the local administrators group for each but I am not a domain admin. I need to come up with a mechanism to backup the security log to long term storage. The long term storage is an irix system. I have SSH Tectia Client installed on each Windows server and I have set up SSH so that I can scp to the long term storage.

I wrote a short script to just test backing up the security log. Just:

 Code:
$strFile="c:\temp\security.evt"
If BackupEventLog("security", $strFile)
   ? @SERROR
EndIf


produces "A required privilege is not held by the client." I double checked and the security group that I am in is in the administrator's group. Any suggestions?

Quick note: I can backup the events from the computer management console.


NTDOCAdministrator
(KiX Master)
2012-09-08 08:54 AM
Re: Backup system logs

Couple issues.

Ongoing backup as a scheduled task probably should not use your own credentials but regardless of which credentials they probably need to be a member of the Backup Operators group on the server and run with elevated rights.



BradV
(Seasoned Scripter)
2012-09-10 12:27 PM
Re: Backup system logs

Yes, that is one of the difficult tasks. I have to create a system account that can run the backupeventlog and cleareventlog functions as well as I need to create an RSA key for it. The RSA key is used to transfer the backups to the IRIX system. Still working on it. \:\)

Glenn BarnasAdministrator
(KiX Supporter)
2012-09-11 01:35 AM
Re: Backup system logs

Brad,

I have a logMaint utility that can run as a system service via SrvAny. I use it to dump my event logs on all servers every night, leaving 30 days of logs locally. It can call a command on completion, so a simple SCP command would give you what you need without local account issues.

Running as a system service eliminates scheduled tasks, user accounts, etc. The single service can be configured to manage dozens of logs. On my web servers, it dumps the event logs nightly, deletes old web files after 60 days, and mail transaction logs after 30 days (and does it for multiple web/mail services).

The same code can run via the system scheduler to perform a single log cleanup.

It can run a command, stop a service, move the log to an archive name or folder, delete expired archived logs, start the service, then run another command if needed. It can archive by renaming, moving to a folder, or moving to a ZIP file. Each of these options is configurable on a per log basis.

PM me if you are interested in this.

Glenn