How would I go about backing up the Windows Application Log at a regular interval?

Question

I'm working with an application that logs to Windows Application Log regularly (viewable through the Event Viewer administrative tool), and I'm looking for a way to back it up on a daily basis. This is important because we sometimes discover a problem with the application - and to investigate further we need information that was logged a week ago. The events we are looking for aren't necessarily still around ... I've tried increasing the size and all that, but I think an automated backup would facilitate the process. We wouldn't end up with huge logs, but rather, multiple moderately-sized logs.

I would prefer a simple solution like batch file + Windows Scheduler, but would also be interested in other approaches.

Thanks

Answer 1

You can use Windows Management Instrumentation (WMI) to read the event log and do whatever you like with the result. Here's an article that you may be able to tweak to your purposes.

Answer 2

Here is a WMI script that I found a while ago. This could be what you're searching!

dim strComputer = "." 'Define here the Remote IP Address or Computername
dim objWMIService
dim colLogFiles
dim objLogfile
dim errBackupLog

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" &  strComputer & "\root\cimv2")

Call eventlogbackup("Application")
Call eventlogbackup("System")
Call eventlogbackup("Security")

Function eventlogbackup(logtype)

Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='" & logtype & "'")

For Each objLogfile in colLogFiles
 errBackupLog = objLogFile.BackupEventLog("\\server\eventlogs\" & strComputer & "\" &logtype & ".evt")
 If errBackupLog <> 0 Then
    Wscript.Echo "The " & logtype &" event log could not be backed up."
 Else
    objLogFile.ClearEventLog()
    Wscript.Echo "The " & logtype &" event log is backed up."
 End If
Next

End Function

Just set-up this script in a scheduled task and you're good to go!

Answer 3

You might want to consider setting up one of the tools to forward windows events to a syslog server. Then instead of having to run a process that does the backup you will get all the log entries forwarded to a second location nearly at the same time they are added to the windows event log.

http://ntsyslog.sourceforge.net/ http://edoceo.com/creo/winlogd http://www.softpanorama.org/Logs/Syslog/syslog_for_windows.shtml

Depending on what syslog server you use you can setup filters to ignore some events or send them to different files. You can setup log rolling however you like.

Answer 4

Output all events in the Application channel, to XML:

wevtutil.exe qe application

For readable text output, use:

wevtutil.exe qe application /f:text

You could easily pipe either of these outputs to a file periodically for backup.