日志备份的批处理文件&明确

时间:2013-10-18 00:01:09

标签: batch-file logging event-log

摘要:我正在处理批处理脚本文件,以将Windows事件日志备份到映射的网络驱动器。每次脚本运行时,我都使用netlogon建立到网络驱动器的通道。我想备份'应用程序,安全性和&系统'具体记录日志。我想每60天将日志备份到同一目录,但我不想覆盖具有相同名称的现有日志文件。所以我发现我可以将日期附加到单个日志文件名。备份所需的日志后,我想清除当前计算机上的日志。

这是我到目前为止所做的:

我不需要每60天备份一次事件日志的命令,它们不会在目标目录中相互覆盖。我想我最终会使用顶级脚本。

@echo off
net use y: \\server_name\shared_folder_name /USER:admin password /persistent:yes
wmic nteventlog where filename='application' backupeventlog C:\Users\Public\Desktop\Application.evt
wmic nteventlog where filename='security' backupeventlog C:\Users\Public\Desktop\Security.evt
wmic nteventlog where filename='system' backupeventlog C:\Users\Public\Desktop\System.evt
wmic nteventlog where filename='application' cleareventlog
wmic nteventlog where filename='system' cleareventlog
wmic nteventlog where filename='security' cleareventlog
exit

@echo off
XCOPY C:\Windows\System32\winevt\Logs\Application.evtx Y:\Analysis\Logs\ /T /E /Y /C
XCOPY C:\Windows\System32\winevt\Logs\Security.evtx Y:\Analysis\Logs\ /T /E /Y /C
XCOPY C:\Windows\System32\winevt\Logs\System.evtx Y:\Analysis\Logs\ /T /E /Y /C
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
exit

1 个答案:

答案 0 :(得分:0)

也许每60天计划一次 - 它已经用日期戳写了文件。

@echo off
net use y: \\server_name\shared_folder_name /USER:admin password /persistent:yes

for /f "tokens=2 delims==" %%a in ('wmic OS Get localdatetime /value') do set "dt=%%a"
set "YY=%dt:~2,2%" & set "YYYY=%dt:~0,4%" & set "MM=%dt:~4,2%" & set "DD=%dt:~6,2%"
set "HH=%dt:~8,2%" & set "Min=%dt:~10,2%" & set "Sec=%dt:~12,2%"

set "datestamp=%YYYY%%MM%%DD%"
set "target=C:\Users\Public\Desktop"

wmic nteventlog where filename='application' backupeventlog  "%target%\Application-%datestamp%.evt"
wmic nteventlog where filename='security' backupeventlog "%target%\Security-%datestamp%.evt"
wmic nteventlog where filename='system' backupeventlog "%target%\System-%datestamp%.evt"
wmic nteventlog where filename='application' cleareventlog
wmic nteventlog where filename='system' cleareventlog
wmic nteventlog where filename='security' cleareventlog
exit
相关问题
最新问题