Event log backup is necessary for troubleshooting systems. I have written a simple batch script to take windows event log backup.
Setup Instructions:
Step 1: Create Backup Directory
Create a backup directory named
c:> mkdir c:backup c:> mkdir c:backuplogs
Step 2: Create Backup Script
Copy and paste below script in file
rem Script start here rem Timestamp Generator set BACKUP_PATH=c:backup rem Parse the date (e.g., Thu 02/28/2013) set cur_yyyy=%date:~10,4% set cur_mm=%date:~4,2% set cur_dd=%date:~7,2% rem Parse the time (e.g., 11:20:56.39) set cur_hh=%time:~0,2% if %cur_hh% lss 10 (set cur_hh=0%time:~1,1%) set cur_nn=%time:~3,2% set cur_ss=%time:~6,2% set cur_ms=%time:~9,2% rem Set the timestamp format set timestamp=%cur_yyyy%%cur_mm%%cur_dd%-%cur_hh%%cur_nn%%cur_ss%%cur_ms% wevtutil epl System %BACKUP_PATH%system_%timestamp%.evtx wevtutil epl Application %BACKUP_PATH%application_%timestamp%.evtx wevtutil epl Security %BACKUP_PATH%security_%timestamp%.evtx rem End of Script
Step 3: Configure script in scheduler
Confiugre script in windows task schedulers to run it automatically on regular interval. Use this article to how to configure windows scheduler.
Hi,
Thank you for your script,
I was wondering if i can specify the date, i mean to export the eventlog in last 72 hours as example.?
I’d like to suggest that for many situations it might be better to use the clear log feature with backup.
wevtutil cl System /bu:”%BACKUP_PATH%system_%timestamp%.evtx”
This will create the same backup file as your script, but it will also clear the log so that you are not backing up the same log events the next time.
Hi rahul,
this is very simple and clean …
in your script, you mentioned about 3 events … but how can we know which event logs we have to observe among around 400 event types … can you suggest …
Small but very useful script. Thanks for sharing with us….. keep it up