Windows Server 2003.
Is there any way to easily rotate event logs (or automatically clear and save)? I'm doing a bit of auditing on this machine and my security log gets real big real quick and every couple of weeks I have to remember to save and clear it out.
Yeah I could rely on backup jobs and enable overwriting...but it would be nicer if I could just get Windows to automatically save and clear the log when it's nearing capacity.
It seems like most people don't know about this feature, but Windows will rotate the log files automatically if so-configured. Look for "AutoBackupLogFiles" in this file.
You can configure this on a server-for-server basis, but that's tedious for a large number of servers. I created an Administrative Template to set this on server computers, and then scripted a startup script to add a scheduled task to periodically pick up, ZIP, and move the log files to a retention location. It worked really well, and was cheap!
Here's a VBS script that will save your event log and clear it. Put this in a scheduled task. Note that the specific event log is specified in line 3 of the script and that you'll obviously want to tweak the target path.
Code "borrowed" (ie- stolen) from MSDN.
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery("Select * from Win32_NTEventLogFile Where LogFileName='Application'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog("c:\\application" & year(Now) & "_" & month(Now) & "_" & day(Now) & "_" & hour(now) & "_" & minute(now) & ".evt")
objLogFile.ClearEventLog
Next
To see the configurable options for a custom ADM template, you probably need to click the View menu, and uncheck "only show policy settings that can be fully managed".