> Hi all,
>
> I have written a VB script that backs up the event logs on a machine
> over the network, zips them up and puts them in a folder for archiving
> purposes. When the script has been fully tested, it'll clear the event
> logs too.
>
> The script has a small problem though - it cannot back up the Security
> event log from a domain controller. It uses the BackupEventLog WMI
> method to do this. I have included 'Backup' and 'Security' as part of
> the WMI moniker string. I have tested the script running as a Domain
> Admin and I have the same problem.
>
> The script works for backing up any event log on any computer, apart
> from a security log on a domain controller. I'm guessing that there's
> a privilege that I'm not setting correctly, or there's a group policy
> setting on the domain controllers that is preventing remote backup of
> the security log.
>
> Any ideas?
>

> I use this one to save and delete the security log from my servers.
> Maybe you find inside also the security part you need for your script,
> because the security settings prevent you in the moment from backing up.
> I have had the same problem until i got this one.
>
> Copy this in a textfile and save it as .vbs (without the lines) and run
> it on the machine as a scheduled task. For the output file you have to
> create a folder on c:\SecurityLog in this case and the useraccount
> should have modify permission in this folder.
>
> -----------------------------------------------------------------------------------------------
>
>
> ;The user account used for this script must have this rights/privileges
> ;Generate security audits
> ;Back up files and directories
> ;Log on as a batch job
> ;Manage auditing and security log
> strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0"
> & Day(Now),2) & "-"
> strComputer = "."
> Set objWMIService = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _
> strComputer & "\root\cimv2")
> Set colLogFiles = objWMIService.ExecQuery _
> ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
> For Each objLogfile in colLogFiles
> errBackupLog = objLogFile.BackupEventLog("c:\SecurityLog\"& strDate
> &"security.evt")
> If errBackupLog <> 0 Then
> Wscript.Echo "The Security event log could not be backed up."
> Else
> objLogFile.ClearEventLog()
> End If
> Next

>> Hi all,
>>
>> I have written a VB script that backs up the event logs on a machine
>> over the network, zips them up and puts them in a folder for archiving
>> purposes. When the script has been fully tested, it'll clear the event
>> logs too.
>>
>> The script has a small problem though - it cannot back up the Security
>> event log from a domain controller. It uses the BackupEventLog WMI
>> method to do this. I have included 'Backup' and 'Security' as part of
>> the WMI moniker string. I have tested the script running as a Domain
>> Admin and I have the same problem.
>>
>> The script works for backing up any event log on any computer, apart
>> from a security log on a domain controller. I'm guessing that there's
>> a privilege that I'm not setting correctly, or there's a group policy
>> setting on the domain controllers that is preventing remote backup of
>> the security log.
>>
>> Any ideas?

> Chris M wrote:
>> I have written a VB script that backs up the event logs on a machine
>> over the network, zips them up and puts them in a folder for archiving
>> purposes. When the script has been fully tested, it'll clear the event
>> logs too.
>>
>> The script has a small problem though - it cannot back up the Security
>> event log from a domain controller. It uses the BackupEventLog WMI
>> method to do this. I have included 'Backup' and 'Security' as part of
>> the WMI moniker string. I have tested the script running as a Domain
>> Admin and I have the same problem.
>
> Just an update on this... I'm still not sure where the problem lies.
>
> Here's the line where the log actually gets backed up:
>
> BackupResult   = LogFile.BackupEventLog(FileName)
>
>
> If FileName is a local path (C:\Eventlogs\blah...) then backing up the
> security log works OK.
>
> If FileName is a UNC path (\\server\C$\EventLogs\Blah...) then this
> fails - but only on the security log - with a return value of 1450.
>
> However - in the second case, the evt file is still created in the right
> location! It always has a filesize of around 8 megs, but it's not always
> the exact same value.
>
> I have just noticed that the security log is actually 128 megs in size
> so I guess that might be the cause, but I still wonder why it works when
> the target file is a local path rather than a UNC path. In both cases,
> the other event log file sizes when backed up are always the same.
>
> Some Googling has suggested that the error return value of 1450 might
> actually be a Win32 error that has been filtered back through the method
> call, and it corresponds to ERROR_NO_SYSTEM_RESOURCES. I wonder if the
> size of the event log is causing some buffer to fill up somewhere.