Comments on: Guerrilla Event Log archiving: why and how.

By: Natasha-web

Natasha-web — Wed, 16 Dec 2009 04:50:16 +0000

precitat cely blog, docela dobrej

By: Karl L. Gechlik | AskTheAdmin.com

Karl L. Gechlik | AskTheAdmin.com — Tue, 16 Jun 2009 19:49:04 +0000

Thanks for following up Joe!

I am looking at some plugins for windows live writer that format code properly… I will let you know how it goes!

We would love to see some new Admin’s Arsenal posts :)

By: Rever75

Rever75 — Mon, 15 Jun 2009 20:32:20 +0000

Thanks for the reply this script is awesome. I no longer get the error message but oddly it will create the directory on my File Server but never places the backed up logs in it.

By: JoeG

JoeG — Mon, 15 Jun 2009 20:11:19 +0000

Oh and an interesting note here; the error was actually on like 151, however (for reasons known only to Microsoft) when the VBScript interpreter catches an error in a function, it lists the line number where the Function breaks, not necessarily where the problem is.

By: JoeG

JoeG — Mon, 15 Jun 2009 20:08:58 +0000

Ok, so There is a formatting error here. I believe that I can tract the error to a pervious version of WordPress, because I was able to correct it on my blog.

Just in case I’ve also taken a screenshot of the offending function, as it should appear. Here is a link to the post where I’ve fixed it: http://www.laoae.com/2008/11/guerrilla-event-log-archiving-why-and-how/

Now then, apologies to all that have had issues with this script (apparently this is the most popular post I’ve ever written, as I’ve had commentary on this issue from several different sources), my bad for not vetting it after it was posted.

I’m working on a better way of posting code to WordPress so that this doesn’t happen in the future.

By: Rever75

Rever75 — Mon, 15 Jun 2009 14:26:24 +0000

I added the second And since it would error with and Expected ‘Then’ until I added it.

By: Rever75

Rever75 — Mon, 15 Jun 2009 14:25:38 +0000

Ok can get it to archive all the Event Logs, clear them and create the directory on the Remote machine but not copy the actual logs. I was getting errors at line 149 or 150 until I removed this part from line 150.
And UCase( strSourceFolder) And UCase( strTargetFolder)

After that all worked except the actual copying of the file.

By: Rever75

Rever75 — Mon, 15 Jun 2009 13:19:08 +0000

I am getting an issue at Line 150 Char 41 Expected ‘Then’ looks like it is not excepting the 2 Ucases

By: Karl L. Gechlik | AskTheAdmin.com

Karl L. Gechlik | AskTheAdmin.com — Tue, 25 Nov 2008 20:10:39 +0000

Thanks Joe! I will throw your link into the post for reference. And will take a look at the css.

By: Joe Glessner

Joe Glessner — Tue, 25 Nov 2008 18:37:27 +0000

Karl,

As I noted below, the formatting is not showing up correct on this post in FireFox (I’m thinking there is something that needs to be tweaked in the CSS for this page.

I could correct it by making the font smaller with some HTML tags, but then on the IE page it would be tiny and unreadable ;)

By: Joe Glessner

Joe Glessner — Tue, 25 Nov 2008 18:34:04 +0000

By any chance are you viewing the post in Firefox? The reason I ask, is that for some odd reason when I view this page in FF the formatting is broken, and some of the lines wrap (in scripts this is very bad).

If you look around line 150 in the script on this page in Firefox, you’ll notice that there is a “then” just floating (got pushed down by word wrap).

Now if you copy that, it may retain the odd formatting in your text editor. You can find this post on my blog at http://joeit.wordpress.com/2008/11/10/guerrilla-event-log-archiving-why-and-how/, with correct formatting.

As to the line of code you call out:
DIM objDir1: objDir1 = “\\” & strComputer & “\c$\EVT”

This creates a variable that allows the script to create a temporary directory on the remote machine for the event logs to be exported to (the Windows EventLog API security prevents you making copies of the event logs to remote machines directly, all copies must be saved locally or not at all).

objDir2 on the other hand is the destination of the files after then have been copied to objDir1 (basically objDir1 is on whatever machine you run this against, and objDir2 is the final destination for the files).

Hope that gets you where you need to be!

By: Jon

Jon — Tue, 25 Nov 2008 15:44:38 +0000

I just highlighted it all and put it in notepad. Looks like it copied fine. I even tried ultraedit. Maybe I could just get your copy? I also don’t understand the config, mostly this part:

DIM objDir1: objDir1 = “\\” & strComputer & “\c$\EVT”

I already had set the path at the objDir2 variable.

By: Karl L. Gechlik | AskTheAdmin.com

Karl L. Gechlik | AskTheAdmin.com — Tue, 25 Nov 2008 15:41:45 +0000

It runs ok over here. How did you copy the script Jon?

By: Jon

Jon — Tue, 25 Nov 2008 15:05:01 +0000

I’m getting an error when I run this:

Line 150
Char: 41
Error: Expected ‘Then’

Any ideas?

By: Peter

Peter — Sat, 15 Nov 2008 19:59:22 +0000

I run almost the exact same script at the beginning of each month to clear al my server logs and archive them centrally.

I also run a daily script from Redmond Magazine (http://redmondmag.com/columns/article.asp?EditorialsID=1653) that emails me a log of all the error and warning events on all my servers for the past 24 hours. You need to customize it to get rid of the noise, but it works well. It has alerted me to problems before they became critical and allowed me to resolve them without downtime.

By: Jeremy L. Gaddis

Jeremy L. Gaddis — Sat, 15 Nov 2008 02:32:53 +0000

Install Splunk on one of your Linux boxes, and Snare on your Windows PCs.