Last active
August 29, 2015 14:17
-
-
Save mortenya/e6f69a208c68c33b913d to your computer and use it in GitHub Desktop.
I wanted to keep a log of all fileshare access, at the file access level, so I enabled 'Detailed File Share - Success' logging. 2 of my fileshares generate minimal logs, 1-2GB per day, but 1 of them is generating about 20GB or more (we need to evaluate usage...) so I'm running this script to trigger off Event ID 1105 (the Event Log has been arch…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Function to zip the archived log, requires 7zip (has command line version) | |
| function Create-7zip([String] $sourceDir, [String] $zipFileName) | |
| { | |
| [string]$pathToZipExe = "C:\scripts\7zip\7za.exe"; | |
| [Array]$arguments = "a", "-tzip", "$zipFileName", "$sourceDir", "-r"; | |
| & $pathToZipExe $arguments; | |
| } | |
| # get the event that containts the filename for the archived security log | |
| # for v3.0+ Get-WinEvent -LogName Security -MaxEvents 1 -Oldest | |
| # because when the log is archived this will be the first event in the new log | |
| $trigger = Get-EventLog -LogName Security -InstanceID 1105 | |
| if ($trigger) | |
| { | |
| # Test for Backup directory, create it if it doesn't exist | |
| $backupDir = "C:\evt-backup" | |
| if (-not (Test-Path $backupDir)) | |
| { | |
| New-Item -Path $backupDir -ItemType Directory | Out-Null | |
| } | |
| # Move the archive out of system32 | |
| if (-not (Test-Path "C:\evt-backup\Transit")) | |
| { | |
| New-Item -Path "C:\evt-backup\Transit" -ItemType Directory | Out-Null | |
| } | |
| Move-Item -Path $trigger.ReplacementStrings[1] -Destination "C:\evt-backup\Transit" | |
| # Build the Backup file name | |
| $file = ($trigger.ReplacementStrings[1].Split('\')[-1]).Replace('.evtx','') | |
| # Arguements for zip file creation | |
| $zipFileName = "$backupDir\$file.zip" | |
| $sourceDir = "C:\evt-backup\Transit\$file.evtx" | |
| Create-7zip $sourceDir $zipFileName | |
| } | |
| $oldEvtx = Get-ChildItem "C:\evt-backup\Transit\*.evtx" | |
| $oldZip = Get-ChildItem "C:\evt-backup\*.zip" | |
| $zip = $oldZip | foreach { $_.Name.Trim('.zip') } | |
| foreach ($evtx in $oldEvtx) | |
| { | |
| $zipDir = "C:\evt-backup" | |
| if ($zip -notcontains $evtx.Name.Trim('.evtx')) | |
| { | |
| Create-7zip $evtx.FullName $zipDir\$($evtx.Name.Trim('.evtx')).zip | |
| } | |
| if ($zip -contains $evtx.Name.Trim('.evtx')) | |
| { | |
| Remove-Item $evtx | |
| } | |
| } | |
| foreach ($zip in $oldZip) | |
| { | |
| if ($zip.LastWriteTime -lt (Get-Date).AddDays(-1)) | |
| { | |
| Remove-Item $zip | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment