Security logs to SQL server
Hi,
we have requirement to save logs for half of the year. Is any way to save windows 2008 r2 security logs to sql server or any other convenient way to save the logs?
thanks
December 10th, 2012 6:50am
you can save them in standard evt/evtx format. You can use the following PowerShell script to backup security eventlog:
function Backup-Eventlog {
[CmdletBinding()]
param (
[Parameter(ValueFromPipeline = $true)]
[string]$Computer = $Env:COMPUTERNAME,
[Parameter(Mandatory = $true)]
[string]$BackupPath
)
begin {
if (!(Test-Path $BackupPath)) {New-Item -Path $BackupPath -ItemType Directory -Force -ErrorAction Stop | Out-Null}
$date = Get-Date -Format dd.MM.yyyy
}
process {
$Eventlog = Get-WmiObject Win32_NTEventlogFile -Filter "LogfileName = 'Security'" -ComputerName $Computer
$Eventlog.PSBase.Scope.Options.EnablePrivileges = $true
$BackupPath = $BackupPath + "\" + $Computer
New-Item -Path $BackupPath -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null
$path = Join-Path $BackupPath ("Security_" + $date + ".evtx")
$Backup = $Eventlog.BackupEventLog($path)
if ($Backup.ReturnValue -eq 0) {
Write-Host "Success"
# uncomment next line if you want to clear eventlog after successive backup.
#[void]$CurrentLog.ClearEventlog()
} else {
$msg = (New-Object ComponentModel.Win32Exception -ArgumentList ([int]"$($Backup.ReturnValue)")).Message
Write-Warning "Unexpected error occured: $msg"
}
}
end {
if ($Backup.ReturnValue -eq 0) {
Write-Host "Purging old archives .."
Get-ChildItem $BackupPath -Recurse | Where-Object {$_.lastwritetime -lt (Get-Date).AddDays(-180)} | Remove-Item -Force
}
}
}
the usage is very simple:
Backup-EventLog -BackupPath D:\BackupDir
additionally you can backup eventlogs from remote system by piping it to a function:
"computer1", "computer2", "computer3" | Backup-EventLog -BackupPath D:\BackupDir
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new:
PowerShell FCIV tool.
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2012 9:05am
I would setup a central logging server and forward all your security logs to that server.
http://blogs.technet.com/b/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx
A decent server with 1TB or 2TB drives in a RAID5 with lots of storage space will
be your best bet. Just my opinion but you want to be reviewing your security logs
on a regular basis. Pointing them to a central log server and then running auditing software
against them achieves two things at once. 1.) You are proactive in your security. 2.) You have all your logs.
You can then back them up to tape for safe keeping in case of a hardware failure.
From an auditing standpoint it is a lot easier to produce logs from a central log server than to go
get them from tape. It also looks better to the auditors if you are actively analyzing them.
--StrayMuse
December 10th, 2012 12:22pm
you can save them in standard evt/evtx format. You can use the following PowerShell script to backup security eventlog:
function Backup-Eventlog {
[CmdletBinding()]
param (
[Parameter(ValueFromPipeline = $true)]
[string]$Computer = $Env:COMPUTERNAME,
[Parameter(Mandatory = $true)]
[string]$BackupPath
)
begin {
if (!(Test-Path $BackupPath)) {New-Item -Path $BackupPath -ItemType Directory -Force -ErrorAction Stop | Out-Null}
$date = Get-Date -Format dd.MM.yyyy
}
process {
$Eventlog = Get-WmiObject Win32_NTEventlogFile -Filter "LogfileName = 'Security'" -ComputerName $Computer
$Eventlog.PSBase.Scope.Options.EnablePrivileges = $true
$BackupPath = $BackupPath + "\" + $Computer
New-Item -Path $BackupPath -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null
$path = Join-Path $BackupPath ("Security_" + $date + ".evtx")
$Backup = $Eventlog.BackupEventLog($path)
if ($Backup.ReturnValue -eq 0) {
Write-Host "Success"
# uncomment next line if you want to clear eventlog after successive backup.
#[void]$CurrentLog.ClearEventlog()
} else {
$msg = (New-Object ComponentModel.Win32Exception -ArgumentList ([int]"$($Backup.ReturnValue)")).Message
Write-Warning "Unexpected error occured: $msg"
}
}
end {
if ($Backup.ReturnValue -eq 0) {
Write-Host "Purging old archives .."
Get-ChildItem $BackupPath -Recurse | Where-Object {$_.lastwritetime -lt (Get-Date).AddDays(-180)} | Remove-Item -Force
}
}
}
the usage is very simple:
Backup-EventLog -BackupPath D:\BackupDir
additionally you can backup eventlogs from remote system by piping it to a function:
"computer1", "computer2", "computer3" | Backup-EventLog -BackupPath D:\BackupDir
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new:
PowerShell FCIV tool.
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2012 4:55pm
I would setup a central logging server and forward all your security logs to that server.
http://blogs.technet.com/b/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx
A decent server with 1TB or 2TB drives in a RAID5 with lots of storage space will
be your best bet. Just my opinion but you want to be reviewing your security logs
on a regular basis. Pointing them to a central log server and then running auditing software
against them achieves two things at once. 1.) You are proactive in your security. 2.) You have all your logs.
You can then back them up to tape for safe keeping in case of a hardware failure.
From an auditing standpoint it is a lot easier to produce logs from a central log server than to go
get them from tape. It also looks better to the auditors if you are actively analyzing them.
--StrayMuse
December 10th, 2012 8:12pm