- BackupEventlog method of the Win32_NTEventlogFile class
- Syntax
- Parameters
- Return value
- Remarks
- Examples
- 1105 (S): автоматическое резервное копирование журнала событий 1105(S): Event log automatic backup
- Рекомендации по контролю безопасности Security Monitoring Recommendations
- WMI Tasks: Event Logs
- 1105(S): Event log automatic backup
- How-To Export Windows Event Logs
- Purpose
- Solution
- Method 1: Export EVTX with Display Information (MetaData)
- Method 2: Export as CSV
- Method 3: Collect entire log folder from Windows.
- Which Logs to Export
BackupEventlog method of the Win32_NTEventlogFile class
The BackupEventLog method saves the specified event log to a backup file. If a backup file with the same name exists, the method fails.
This topic uses Managed Object Format (MOF) syntax. For more information about using this method, see Calling a Method.
Syntax
Parameters
Path and file name of the backup file to be created.
If the ArchiveFileName comes from a source that you do not know or trust, then this parameter value should be verified before using it in a call to BackupEventlog.
Return value
| Return code | Description |
|---|---|
| 0 | Success |
| 8 | Privilege missing |
| 21 | Invalid parameter |
| 80 | Archive file name already exists. |
Remarks
Event logs maintain a historical record of important events that occur on a computer. These records should be archived, at least temporarily, to help you carry out tasks such as troubleshooting problems (when did the first instance of X occur?) or capacity planning (how does the number of Ys occurring this month compare with the number of Ys that occurred last month?).
The most efficient way to archive event log records is to routinely back up and then clear these logs. Backing up the logs before clearing them ensures that the records will be available if you ever need them; clearing the event logs keeps those logs to a manageable size. Clearing the event logs also ensures that all events will be recorded. If you do not clear the event log before it reaches its maximum size, it either stops recording any new events or starts overwriting older events, depending on how the log has been configured. As a result, events will either be overwritten, and thus lost, or never recorded in the first place.
When you clear an event log, the operating system does not delete the previous event log file. Instead, Windows creates a new 64 KB log file that replaces the old log file. (The new log file is placed on exactly the same sectors of the disk drive as the old log file.) Because the disk drive sectors are overwritten and filled with new information, you cannot retrieve records from a cleared event log using an undelete tool.
Before you clear an event log, it is a good idea to create a backup of that log. WMI provides a method for backing up event logs. However, this method comes with two important stipulations. For one, you must use the proprietary event log binary log format. To archive event logs in plain-text format, you need to create a query to extract the records and then write the extracted information to a text file.
In addition, you must make backups to the local computer; you cannot save a backup of the event logs on Computer A to Computer B. Backups are implemented by using the LocalSystem account, which does not have the network credentials necessary to access remote computers. If you want to save backups to a central repository, modify the script to first perform the backup, and then move the backup file to the central repository.
A technical note on backing up event logs
Event logs must be backed up separately from any other system files. Although a regular system backup can copy the event log files, the copied event log files will be unusable. If you attempt to open an event log file that has been copied or backed up by using any means other than the Event Log Backup Application Programming Interface (API), you receive an error message stating that the event log file is corrupt.
This error message is the result of a unique characteristic of event log files. When a computer starts, the Event service changes several bits in each event log file header. These changed bits indicate that the event log file is open, and they prevent applications, including backup programs, from accessing the event log file. If you copy an event log file by using the Copy command or a standard backup program, the copied event log file includes these changed bits. If you then try to open the copied file, you receive a message that the event log is corrupt.
Despite the changed bits, you can use Event Viewer to work with the event log files, but only because it does not try to open the event log file itself. Instead, Event Viewer uses the Event service and the Event Logging API to open the event log files.
However, this does not completely solve the problem. For better or worse, the Event service and Event Logging API can be used to open only actual event logs; they cannot open archived event log files. Instead, Event Viewer must directly access backup event log files. If the Event Log Backup API did not produce these backup event log files, these backup files will include the changed bits indicating that the file is open. In that case, any attempt to access the file will fail.
When you use the Event Log Backup method, these header bits are changed to indicate that the file is closed, giving Event Viewer access to the data.
Examples
The following VBScript sample backs up and then clears the Application event log on a computer.
The following VBScript backs up and clears an event log only if the log is larger than 20 megabytes (approximately 20,000,000 bytes). If the log is smaller than 20 megabytes, the script exits without performing the backup.
The following VBScript code sample demonstrates how to backup the entries from the Application event log file on the local machine from instances of Win32_NTEventLogFile.
The following Perl code sample demonstrates how to backup the entries from the Application event log file on the local machine from instances of Win32_NTEventLogFile.
1105 (S): автоматическое резервное копирование журнала событий 1105(S): Event log automatic backup
Относится к: Applies to
- Windows 10 Windows 10
- Windows Server 2016 Windows Server 2016
Подкатегория: Другие события Subcategory: Other Events
Описание события: Event Description:
Это событие создает каждый раз, когда журнал безопасности Windows становится полным и создается новый файл журнала событий. This event generates every time Windows security log becomes full and new event log file was created.
Это событие создает, например, если достигнут максимальный размер файла журнала событий безопасности и метод хранения журнала событий: «Архивировать журнал при полномобъеме,не перезаписывать события». This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “Archive the log when full, do not overwrite events”.
Примечание. Рекомендации приведены в разделе Рекомендации по мониторингу безопасности для этого события. Note For recommendations, see Security Monitoring Recommendations for this event.
XML события: Event XML:
Необходимые роли сервера: нет. Required Server Roles: None.
Минимальная версия ОС: Windows Server 2008, Windows Vista. Minimum OS Version: Windows Server 2008, Windows Vista.
Версии события: 0. Event Versions: 0.
Описания полей: Field Descriptions:
Журнал [Type = UnicodeString]: имя архивного журнала (был создан новый файл журнала событий и архивирован предыдущий журнал событий). Log [Type = UnicodeString]: the name of the log that was archived (new event log file was created and previous event log was archived). Всегда «Безопасность» для журналов событий безопасности. Always “Security” for Security Event Logs.
Файл: [Type = FILETIME]: полный путь и имя файла архивного файла журнала. File: [Type = FILETIME]: full path and filename of archived log file.
Формат архивного имени файла журнала: «Archive-LOG_FILE_NAME-YYYY-MM-DD-hh-mm-ss-nnn.evtx». The format of archived log file name is: “Archive-LOG_FILE_NAME-YYYY-MM-DD-hh-mm-ss-nnn.evtx”. Где: Where:
LOG_FILE_NAME — имя архивного файла. LOG_FILE_NAME – the name of archived file.
Y — годы. Y – years.
M — месяцы. M – months.
h — часы. h – hours.
m — минуты. m – minutes.
s — секунд. s – seconds.
n — дробные секунды. n – fractional seconds.
Время в этом событии всегда находится в часовом поясе GMT+0/UTC+0. The time in this event is always in GMT+0/UTC+0 time zone.
Рекомендации по контролю безопасности Security Monitoring Recommendations
Для 1105 (S): автоматическое резервное копирование журнала событий. For 1105(S): Event log automatic backup.
- Обычно это информационное событие, и никаких действий не требуется. Typically it’s an informational event and no actions are needed. Но если базовые параметры не заданной для архива журнала при полном объеме,не переописывайте события, это событие будет признаком того, что некоторые параметры не заданной для базовых параметров или были изменены. But if your baseline settings are not set to Archive the log when full, do not overwrite events, then this event will be a sign that some settings are not set to baseline settings or were changed.
—>
WMI Tasks: Event Logs
WMI tasks for event logs obtain event data from event log files and perform operations like backing up or clearing log files. For other examples, see the TechNet ScriptCenter at https://www.microsoft.com/technet.
The script examples shown in this topic obtain data only from the local computer. For more information about how to use the script to obtain data from remote computers, see Connecting to WMI on a Remote Computer.
The following procedure describes how to run a script.
To run a script
- Copy the code and save it in a file with a .vbs extension, such as filename.vbs. Ensure that your text editor does not add a .txt extension to the file.
- Open a command prompt window and navigate to the directory where you saved the file.
- Type cscript filename.vbs at the command prompt.
- If you cannot access an event log, check to see if you are running from an Elevated command prompt. Some Event Log, such as the Security Event Log, may be protected by User Access Controls (UAC).
By default, cscript displays the output of a script in the command prompt window. Because WMI scripts can produce large amounts of output, you might want to redirect the output to a file. Type cscript filename.vbs > outfile.txt at the command prompt to redirect the output of the filename.vbs script to outfile.txt.
The following table lists script examples that can be used to obtain various types of data from the local computer.
| How do I. | WMI classes or methods | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| . retrieve information about the Security event log? | Include the Security privilege when connecting to the Win32_NTEventlogFile class. For more information, see Executing Privileged Operations Using VBScript.
| ||||||||||||
| . back up an event log? | |||||||||||||
| . back up an event log more than once? | Ensure that the backup file has a unique name before using the Win32_NTEventlogFile and the BackupEventLog method. The operating system does not allow you to overwrite an existing backup file; you must either move the backup file or rename it before you can run the script again. You may need to include the Backup privilege when connecting to WMI. For more information, see Executing Privileged Operations Using VBScript. | ||||||||||||
| . determine the number of records in an event log? | Use the Win32_NTEventlogFile class and check the value of the NumberOfRecords property. 1105(S): Event log automatic backupApplies to
Event Description: This event generates every time Windows security log becomes full and new event log file was created. This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “Archive the log when full, do not overwrite events”.
Event XML: Required Server Roles: None. Minimum OS Version: Windows Server 2008, Windows Vista. Event Versions: 0. Field Descriptions: Log [Type = UnicodeString]: the name of the log that was archived (new event log file was created and previous event log was archived). Always “Security” for Security Event Logs. File: [Type = FILETIME]: full path and filename of archived log file. The format of archived log file name is: “Archive-LOG_FILE_NAME-YYYY-MM-DD-hh-mm-ss-nnn.evtx”. Where: LOG_FILE_NAME – the name of archived file. How-To Export Windows Event Logs
PurposeWhen submitting a support case for technical assistance, it is sometimes necessary to upload relevant Windows event logs in addition to the Veeam logs. Event logs exported using default settings can be missing important information. This article describes three different methods of exporting Windows event logs and which logs tend to be most useful for certain types of support cases. SolutionBelow are the three common methods a Veeam Support Engineer may request you gather event logs for them. If they have specified a specific method, please use the requested method. Click here to see what logs should be collected for common issues. Method 1: Export EVTX with Display Information (MetaData)An .evtx file alone does not contain the text of most events, so uploading an .evtx file without the associated Display Information can delay resolution of your support case. Even with the display information, an .evtx contains only the UTC time of the events and not the source time zone (Event viewer adjusts the displayed time to your local time zone). Steps to Export .evtx with Display Information
Be sure to include the LocaleMetaData folder when packaging logs for upload. Please package all files into a single .zip archive. For information on uploading files to Support, see: Steps to Compile Logs To export and then archive an event log from the command line, see: Archive an Event Log Method 2: Export as CSV
For example, when exporting the Application event log from server named HV01, enter Application_HV01. In Save as type , select CSV (Comma Separated) . Please package all files into a single .zip archive. For information on uploading files to Support, see: Steps to Compile Logs To export and then archive an event log from the command line, see: Archive an Event Log Method 3: Collect entire log folder from Windows.
Please package all files into a single .zip archive. For information on uploading files to Support, see: Steps to Compile Logs To export and then archive an event log from the command line, see: Archive an Event Log Which Logs to ExportVeeam Support will request logs as needed, but you can speed up resolution of a new case by checking to see if it falls into one of the categories below and uploading appropriate event logs during case creation.
|
