16.12.10

Rotating event Log files in Windows Server 2003. Shouldn't this be done automatically?

First off let me say yes, we still use Windows Server 2003 SP2 here. It serves the purpose we need it for and as of right now those needs may be small but are still very relevant. I would love to wipe the server and install RHEL6 but that's further down the line.

Alright, back to the task at hand. When I first started working here, about a year ago, the server performance was abysmal at best. That led me to start looking at what was dragging the server down, besides being a Windows box that is. One of many, many, findings was the Event log files were not set to be rotated out, ever! With my background in Linux administration I was completely baffled as to why this would not be a standard on any server.. Bueller?

So, I went about looking into this and found many solutions. There were two options that stuck out as viable alternatives one was an .adm template and the other was simple bash script... I mean batch script (:

I wanted a quick solution that I could possibly modify for other uses on the fly with minimal fuss, that obviously left out an adm template. So, off to work on a batch script I went. After shaking off the rust of batch scripting, it was an easy solution.

I utilized Sysinternals Psloglist.exe in the below example. A later addition also adds 7zip by Igor Pavlov into the mix so the weeks log files can be zipped and stored for later viewing if necessary.

Below is the code that I used to accomplish this task, please feel free to adjust this code to fit your systems if you are in a similar situation.

REM This is to rotate the logs:
REM Created by Dan M.
REM This work is released un the Creative Commons Non-commercial Share A-like license
REM http://creativecommons.org/licenses/by-nc-sa/3.0/legalcode

:: Get date in useful format
For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set newdate=%%c-%%a-%%b)

:: Echo
ECHO "This is a log of the purge/rotation of the event logs" > f:\logs\file.txt
ECHO "-----------------------------------------------------" >> f:\logs\file.txt

:: Run Sysinternals PslogList.exe
:: Echo out times to file.txt for emailing
%SYSTEMDRIVE%\SysinternalsSuite\psloglist.exe Applications -c -g f:\Logs\%newdate%_APP_EVTS.evt
ECHO "Application events were rotated %newdate% at %time%" >> f:\logs\file.txt
%SYSTEMDRIVE%\SysinternalsSuite\psloglist.exe Security -c -g f:\Logs\%newdate%_SEC_EVTS.evt
ECHO "Security events were rotated %newdate% at %time%" >> f:\logs\file.txt
%SYSTEMDRIVE%\SysinternalsSuite\psloglist.exe System -c -g f:\Logs\%newdate%_SYS_EVTS.evt
ECHO "System events were rotated %newdate% at %time%" >> f:\logs\file.txt

:: Call email_me.cmd
CALL g:\scripts\Email_me.cmd

Remember adjust your variables and destinations accordingly and as always happy admin-ing!