Batch Script to Automate Event Log Backup on Windows

As a dedicated system administrator, it’s imperative to prioritize the efficient management of Windows server event log backups. Ensuring regular backups and secure storage, preferably on an external hard drive or a reliable cloud storage solution, is key. Adopting a daily backup routine and maintaining a backup archive spanning at least one year is crucial for effective troubleshooting and system analysis.

Discover the Ultimate Batch Script for Windows Log Backup and Storage

Step 1: Create Backup Directory

Initiate your backup process by creating a dedicated backup directory. For instance, establish c:\backup for your primary backups and c:\backup\logs specifically for your log files. Feel free to customize the directory structure to align with your backup strategy.

Effortlessly set up your directory structure with these simple command prompt instructions:

mkdir c:\backup 
mkdir c:\backup\logs

Step 2: Craft an Efficient Backup Script

Now create a batch script, c:\backup\evt-backup.bat, and embed the following script. Modify the BACKUP_PATH as needed to reflect your chosen backup directory.


@echo off
:: Script begins
:: Timestamp Generation

set BACKUP_PATH=c:\backup\logs

:: Date Parsing (Format: Thu 02/28/2013)
set cur_yyyy=%date:~10,4%
set cur_mm=%date:~4,2%
set cur_dd=%date:~7,2%

:: Time Parsing (Format: 11:20:56.39)
set cur_hh=%time:~0,2%
if %cur_hh% lss 10 (set cur_hh=0%time:~1,1%)
set cur_nn=%time:~3,2%
set cur_ss=%time:~6,2%
set cur_ms=%time:~9,2%
 
:: Setting Timestamp Format
set timestamp=%cur_yyyy%%cur_mm%%cur_dd%-%cur_hh%%cur_nn%%cur_ss%%cur_ms%

:: Backup Event Logs
wevtutil epl System %BACKUP_PATH%\system_%timestamp%.evtx
wevtutil epl Application %BACKUP_PATH%\application_%timestamp%.evtx
wevtutil epl Security %BACKUP_PATH%\security_%timestamp%.evtx

:: Delete Old Backups
:: Set the number of days to keep backups
set /a days_to_keep=30

:: Delete files older than the specified number of days
forfiles /p "%BACKUP_PATH%" /s /m *.evtx /d -%days_to_keep% /c "cmd /c del @path"

:: End of Script

During the recent update in script, I have added a section under “Delete Old Backups”. This section uses the forfiles command to identify and delete .evtx files in the backup directory that are older than the specified number of days (days_to_keep). You can adjust the value of days_to_keep to suit your retention policy.

Step 3: Manual Script Execution

Test the script’s efficacy by executing it manually. Launch the Windows command prompt with administrative privileges, navigate to the c:\backup directory, and run the script as follows:

cd c:\backup 
evt-backup.bat

Verify the creation of the event log backup files post-execution.

Step 4: Automate with Windows Task Scheduler

To ensure seamless and consistent backups, configure this script within the Windows Task Scheduler for automatic execution at regular intervals. A daily backup schedule is typically sufficient for standard system needs.

Thank you for exploring this guide. Implementing this script will significantly enhance your capability to automate Windows log backups, streamlining your system management tasks.

13 Comments

HAS on August 23, 2022 7:51 pm
How to do i add an event that has a space
example
wevtutil epl Call Messaging %BACKUP_PATH%\call messaging_%timestamp%.evtx
This returns back a error message due to the space between call””messaging
Cybercut on April 7, 2022 11:42 pm
I know this is an old post however, in my WIN 11 install, even when running with elevated cmd, still – Access Denied. Any suggestions? Thanks so very much.
- Rahul on April 8, 2022 4:19 am
  Try to run as administrator prvileges.
Naren on August 8, 2019 12:21 pm
Hi Team,
This script is working fine for me in Windows server 2012. In windows server 2016 I am getting application and system event logs backup only. Kindly share the script for Windows server 2016 to backup security logs too.
Thanks in Advance for the script.
Shankar D on August 3, 2019 9:44 am
Hi I am getting error while running the batch file.
C:\Backup\logs\wevtutil epl Application C:\backup\logs\application_8/01-15052427.evtx
Failed to export log Application. The system cannotfind the path specified.
OS : Windows 2008R2 STD
Kindly help me to resolve this issue.
Thanks in advance
Shankar D
Ankit Tiwari on July 22, 2019 5:15 pm
Failed to export log Security. Access is denied.
- karuna on July 9, 2021 5:49 am
  script run as administrator, it will work
sugun on January 25, 2019 1:08 pm
Failed to export log Security. Access is denied.
Rami on August 10, 2016 2:02 pm
Hi,
Thank you for your script,
I was wondering if i can specify the date, i mean to export the eventlog in last 72 hours as example.?
Ted on February 24, 2016 3:54 pm
I’d like to suggest that for many situations it might be better to use the clear log feature with backup.
wevtutil cl System /bu:”%BACKUP_PATH%system_%timestamp%.evtx”
This will create the same backup file as your script, but it will also clear the log so that you are not backing up the same log events the next time.
rajesh on March 19, 2014 11:35 am
Hi rahul,
this is very simple and clean …
in your script, you mentioned about 3 events … but how can we know which event logs we have to observe among around 400 event types … can you suggest …
- FA-EF on February 14, 2019 7:36 am
  Hi LEAVE A REPLY
  You can check name of logs in log properties and use Full Name to insert into script.
  Example
  wevtutil epl Microsoft-Windows-PrintService/Operational %BACKUP_PATH%\Operational_%timestamp%.evtx
Avi on November 1, 2013 4:25 pm
Small but very useful script. Thanks for sharing with us….. keep it up