Hi, we have requirement to save logs for half of the year. Is any way to save windows 2008 r2 security logs to sql server or any other convenient way to save the logs? thanks

you can save them in standard evt/evtx format. You can use the following PowerShell script to backup security eventlog: function Backup-Eventlog { [CmdletBinding()] param ( [Parameter(ValueFromPipeline = $true)] [string]$Computer = $Env:COMPUTERNAME, [Parameter(Mandatory = $true)] [string]$BackupPath ) begin { if (!(Test-Path $BackupPath)) {New-Item -Path $BackupPath -ItemType Directory -Force -ErrorAction Stop | Out-Null} $date = Get-Date -Format dd.MM.yyyy } process { $Eventlog = Get-WmiObject Win32_NTEventlogFile -Filter "LogfileName = 'Security'" -ComputerName $Computer $Eventlog.PSBase.Scope.Options.EnablePrivileges = $true $BackupPath = $BackupPath + "\" + $Computer New-Item -Path $BackupPath -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null $path = Join-Path $BackupPath ("Security_" + $date + ".evtx") $Backup = $Eventlog.BackupEventLog($path) if ($Backup.ReturnValue -eq 0) { Write-Host "Success" # uncomment next line if you want to clear eventlog after successive backup. #[void]$CurrentLog.ClearEventlog() } else { $msg = (New-Object ComponentModel.Win32Exception -ArgumentList ([int]"$($Backup.ReturnValue)")).Message Write-Warning "Unexpected error occured: $msg" } } end { if ($Backup.ReturnValue -eq 0) { Write-Host "Purging old archives .." Get-ChildItem $BackupPath -Recurse | Where-Object {$_.lastwritetime -lt (Get-Date).AddDays(-180)} | Remove-Item -Force } } } the usage is very simple: Backup-EventLog -BackupPath D:\BackupDir additionally you can backup eventlogs from remote system by piping it to a function: "computer1", "computer2", "computer3" | Backup-EventLog -BackupPath D:\BackupDir My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

I would setup a central logging server and forward all your security logs to that server. http://blogs.technet.com/b/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx A decent server with 1TB or 2TB drives in a RAID5 with lots of storage space will be your best bet. Just my opinion but you want to be reviewing your security logs on a regular basis. Pointing them to a central log server and then running auditing software against them achieves two things at once. 1.) You are proactive in your security. 2.) You have all your logs. You can then back them up to tape for safe keeping in case of a hardware failure. From an auditing standpoint it is a lot easier to produce logs from a central log server than to go get them from tape. It also looks better to the auditors if you are actively analyzing them. --StrayMuse

you can save them in standard evt/evtx format. You can use the following PowerShell script to backup security eventlog: function Backup-Eventlog { [CmdletBinding()] param ( [Parameter(ValueFromPipeline = $true)] [string]$Computer = $Env:COMPUTERNAME, [Parameter(Mandatory = $true)] [string]$BackupPath ) begin { if (!(Test-Path $BackupPath)) {New-Item -Path $BackupPath -ItemType Directory -Force -ErrorAction Stop | Out-Null} $date = Get-Date -Format dd.MM.yyyy } process { $Eventlog = Get-WmiObject Win32_NTEventlogFile -Filter "LogfileName = 'Security'" -ComputerName $Computer $Eventlog.PSBase.Scope.Options.EnablePrivileges = $true $BackupPath = $BackupPath + "\" + $Computer New-Item -Path $BackupPath -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null $path = Join-Path $BackupPath ("Security_" + $date + ".evtx") $Backup = $Eventlog.BackupEventLog($path) if ($Backup.ReturnValue -eq 0) { Write-Host "Success" # uncomment next line if you want to clear eventlog after successive backup. #[void]$CurrentLog.ClearEventlog() } else { $msg = (New-Object ComponentModel.Win32Exception -ArgumentList ([int]"$($Backup.ReturnValue)")).Message Write-Warning "Unexpected error occured: $msg" } } end { if ($Backup.ReturnValue -eq 0) { Write-Host "Purging old archives .." Get-ChildItem $BackupPath -Recurse | Where-Object {$_.lastwritetime -lt (Get-Date).AddDays(-180)} | Remove-Item -Force } } } the usage is very simple: Backup-EventLog -BackupPath D:\BackupDir additionally you can backup eventlogs from remote system by piping it to a function: "computer1", "computer2", "computer3" | Backup-EventLog -BackupPath D:\BackupDir My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

I would setup a central logging server and forward all your security logs to that server. http://blogs.technet.com/b/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx A decent server with 1TB or 2TB drives in a RAID5 with lots of storage space will be your best bet. Just my opinion but you want to be reviewing your security logs on a regular basis. Pointing them to a central log server and then running auditing software against them achieves two things at once. 1.) You are proactive in your security. 2.) You have all your logs. You can then back them up to tape for safe keeping in case of a hardware failure. From an auditing standpoint it is a lot easier to produce logs from a central log server than to go get them from tape. It also looks better to the auditors if you are actively analyzing them. --StrayMuse