Backing Up and Clearing Event Logs

Microsoft® Windows® 2000 Scripting Guide

Event logs maintain a historical record of important events that occur on a computer. These records should be archived, at least temporarily, to help you carry out tasks such as troubleshooting problems (when did the first instance of X occur?) or capacity planning (how does the number of Ys occurring this month compare with the number of Ys that occurred last month?).

The most efficient way to archive event log records is to routinely back up and then clear these logs. Backing up the logs before clearing them ensures that the records will be available if you ever need them; clearing the event logs keeps those logs to a manageable size. Clearing the event logs also ensures that all events will be recorded. If you do not clear the event log before it reaches its maximum size, it either stops recording any new events or starts overwriting older events, depending on how the log has been configured. As a result, events will either be overwritten, and thus lost, or never recorded in the first place.

Note

  • When you clear an event log, the operating system does not delete the previous event log file. Instead, Windows creates a new 64 KB log file that replaces the old log file. (The new log file is placed on exactly the same sectors of the disk drive as the old log file.) Because the disk drive sectors are overwritten and filled with new information, you cannot retrieve records from a cleared event log using an undelete tool.

Before you clear an event log, it is a good idea to create a backup of that log. WMI provides a method for backing up event logs. However, this method comes with two important stipulations. For one, you must use the proprietary event log binary log format. To archive event logs in plain-text format, you need to create a query to extract the records and then write the extracted information to a text file.

In addition, you must make backups to the local computer; you cannot save a backup of the event logs on Computer A to Computer B. Backups are implemented by using the LocalSystem account, which does not have the network credentials necessary to access remote computers. If you want to save backups to a central repository, modify the script to first perform the backup, and then move the backup file to the central repository.

A technical note on backing up event logs

Event logs must be backed up separately from any other system files. Although a regular system backup can copy the event log files, the copied event log files will be unusable. If you attempt to open an event log file that has been copied or backed up by using any means other than the Event Log Backup Application Programming Interface (API), you receive an error message stating that the event log file is corrupt.

This error message is the result of a unique characteristic of event log files. When a computer starts, the Event service changes several bits in each event log file header. These changed bits indicate that the event log file is open, and they prevent applications, including backup programs, from accessing the event log file. If you copy an event log file by using the Copy command or a standard backup program, the copied event log file includes these changed bits. If you then try to open the copied file, you receive a message that the event log is corrupt.

Despite the changed bits, you can use Event Viewer to work with the event log files, but only because it does not try to open the event log file itself. Instead, Event Viewer uses the Event service and the Event Logging API to open the event log files.

However, this does not completely solve the problem. For better or worse, the Event service and Event Logging API can be used to open only actual event logs; they cannot open archived event log files. Instead, Event Viewer must directly access backup event log files. If the Event Log Backup API did not produce these backup event log files, these backup files will include the changed bits indicating that the file is open. In that case, any attempt to access the file will fail.

When you use the Event Log Backup method, these header bits are changed to indicate that the file is closed, giving Event Viewer access to the data.

Scripting Steps

There are multiple ways to back up and clear the event logs. For example, you might:

  • Back up and clear an event log.

  • Back up and clear an event log only if the log meets specific conditions.

Backing up and clearing an event log

Listing 12.5 contains a script that backs up and then clears the Application event log on a computer. To carry out this task, the script must perform the following steps:

  1. Create a variable to specify the computer name.

  2. Use a GetObject call to connect to the WMI namespace root\cimv2, set the impersonation level to "impersonate," and include the Backup privilege.

    To use the BackupEventLog method, you must include the Backup privilege as part of your connection string. Backup is a user right that must be explicitly assigned and included as part of the GetObject moniker.

  3. Use the ExecQuery method to query the Win32_NTEventLogFile class.

    To limit data retrieval to the Application event log, include a Where clause specifying Application as the LogFileName. This returns a collection with a single item: the Application event log.

  4. For the sole item in the collection, use the WMI BackupEventLog method to back up the event log, specifying the full path to the backup file when using this method. If the backup file does not exist, WMI will create a new backup file.

    However, if a backup file by that name already exists, the backup attempt will fail. The failure occurs because the BackupEventLog method does not allow you to overwrite an existing backup file or to append additional records to an existing backup file. This is another security measure, one that prevents anyone from modifying archived event logs. Without this provision, an unscrupulous administrator could back up and clear the event logs, open the backup files, and then remove any events he or she wanted to keep secret.

  5. Use the WMI ClearEventLog method to clear the event log.

    In the script, this method will run only if the backup succeeded; if the BackupEventLog method returns anything other than 0, this means the backup failed. As a result, the message "The application event log could not be backed up" is echoed to the screen, and the event log is not cleared.

Listing 12.5 Backing Up and Clearing an Event Log

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate,(Backup)}!\\" & _
 strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Application'")
For Each objLogfile in colLogFiles
 errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
 If errBackupLog <> 0 Then
 Wscript.Echo "The Application event log could not be backed up."
 Else
 objLogFile.ClearEventLog()
 End If
Next

You might want to run the script shown in Listing 12.5 as a scheduled task and thus back up and clear your event log on a regular basis.

Backing up and clearing an event log if the log meets specific conditions

If you wanted to, you could schedule the script in Listing 12.5 to run as a scheduled task each morning. The script would thus start up each day and then back up and clear each event log. At the end of the year, you would have 365 archive files for each event log. Although the data would be safely archived, dealing with scores of small event log files can be more complicated than dealing with a single large event log file.

As an alternative approach, you can create a script that backs up and clears an event log only if the log meets specific conditions.

Listing 12.6 contains a script that backs up and clears an event log only if the log is larger than 20 megabytes (approximately 20,000,000 bytes). If the log is smaller than 20 megabytes, the script exits without performing the backup. To carry out this task, the script must perform the following steps:

  1. Create a variable to specify the computer name.

  2. Use a GetObject call to connect to the WMI namespace root\cimv2 on the computer, and set the impersonation level to "impersonate."

  3. Use the ExecQuery method to query the Win32_NTEventLogFile class.

    This returns a collection consisting of all the event logs on the computer, except the Security event log. To return the Security event log, you need to include the Security privilege as part of the WMI moniker. The Security event log is not included in this script simply because the Security event log is often managed separately from the other event logs (and often by a separate administrator).

  4. For each event log in the collection, check the FileSize property to see whether the event log size is larger than 20 megabytes.

    • If the FileSize property returns a value greater than 20 megabytes, the event log is backed up to a file, using the name of the event log as the file name, and the event log is then cleared.

    • If the FileSize property returns a value less than 20 megabytes, the event log is not backed up and then cleared.

Listing 12.6 Backing Up and Clearing Event Logs If the Log Meets Specific Conditions

  
1
2
3
4
5
6
7
8
9
10
11
12
13
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
 & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_NTEventLogFile")
For Each objLogfile in colLogFiles
 If objLogFile.FileSize > 20000000 Then
 strBackupLog = objLogFile.BackupEventLog _
 ("c:\scripts\" & objLogFile.LogFileName & ".evt")
 objLogFile.ClearEventLog()
 End If
Next