Security Event Log Archive status report for multiple computers.

Introduction

 

As we all know that the security Event log in Windows operating system captures and holds the information about the login/logout activity or other security-related events specified by the system's audit policy.

In order to maintain the security standards some industries are having the policy to retain security event logs, so that they will archive the logs and retain it.

This script is useful for those industries who wants to know the security event log is enabled on windows servers.

This script will check the event log archive is enabled for security Events or not and report the details in excel workbook for multiple computers remotely.

Script Explanation :

  Note: In Windows 7 and newer version of operating system, the path for the System Event log for example is

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

How to Run the Script?

  Prerequisites:  

Image showing Initial setup -before script execution

Execution Procedure:

Step 1: Create a folder C:\Admin\ on the system where you are running the script.

Step 2: This script reads the input or the server list from the file named Servers.txt located at C:\Admin\ .

Hence you need to create a text file with servers.txt under that folder and update the server list in text file. I attached the samples with its output. You can also modify the input location and file name as per your setting.

Step 3: Once you have your setup ready, you can run this script using the PowerShell.

Step 4: Run the PowerShell with Elevated privilege and set execution policy as unrestricted using below command

PowerShell
Edit|Remove
Set-ExecutionPolicy Unrestricted –Force
 

Step 5: To run a script, open a PowerShell window, type the script's name and press Enter.

Step 6: The output will be saved at C:\Admin>. If you modified the output location in script then it will be saved at the location you mentioned in script.

Example:

Here I stored the script at C:\Admin folder so to run script I did below

PS C :\> Cd C:\Admin\

PS C:\Admin>

PS C:\Admin> Archivestatus.ps1

Then pressed enter to run the script


Image shows final output after script execution

Attachment Details:

Conclusion and Feedback:

With the aid of this script we cut the automated the task to verify if we have security event log archival configured or not on multiple servers. I would like to sincerely thank you for using this script, your feedback will help me to improve, so request you to rate the script. If you have any queries or concerns about this script post at Q&A Session.

References:

About Windows Security Event logs

About Windows Event Log 

About Execution Policies - Microsoft Docs.