Submitted By: Greg Kenoyer, Hewlett-Packard

Modifies event log registry keys that control AutoBackupLogFiles.

Visual Basic
Edit|Remove
Option Explicit 
'** 
'** File: AutoBackupLogFiles.vbs 
'** Usage: from cmd line: "cscript autobackuplogfiles.vbs. [C,F] [hostname]"  
'**     {C= check only, F = check and fix  (default action, for automated use)} 
'**     hostname = name of remote host to check, if no parameter passed, localhost (.) assumed 
'** 
'** Date: 9 April 2007 
'** Auth: gdk 
'** Purpose: 
'**    AutoBackupLogFiles will 
'**     1) Check/Verify that AutoBackupLogFiles is set to non-Zero (== 1: do automatic backups) 
'**     2) Check/Verify that Retention is set to 0xFFFFFF (== -1: do not overwrite) 
'**     3) FUTURE:  add ping to verify connectivity 
'** 
'**    see Microsoft kb http://support.microsoft.com/kb/312571 
'** 
'**    All log files will be processed, as the call ("Select * from Win32_NTEventLogFile") will get ALL names. 
'** 
'** Inputs: 
'**      1)  Cmd line parameter #1, C for Check or F fopr Fix, if none passed, FIX assumed 
'**      2)  Cmd line parameter #2, hosthame of remote host to check/fix.  if none passed localhost (.) assumed 
'**      3)  HKLM\SYSTEM\CCS\Services registry tree keys AutoBackupLogFiles and Retention 
'** 
'** Outputs: 
'**      1) StdOut messages regarding keys and errors 
'**      2) Modifications to registry key noted above in 3) 
'**      3) (indirect) event logs will be backuped to %SystemRoot%\System32\Config and 
'**         have format Logname-YYYY-MM-DD-HH-MM-SSS-mmm.evt 
'**    
'** Modification History 
'** Date: 10 April 2007 
'** Auth: gdk 
'** Mod:   added 2nd input parameter, hostname 
'** 
'** - - - - - - - - - - - - - - - - - - - - - - - - 
'** 
'** 
On Error Resume Next 
'** 
'** set up structures 
'** 
Dim WS, objWMIService, colLogFiles, objSO, RFlag 
Dim strComputer, objLogfile, objShell, strAns 
Dim AutoBackup, Retention 
'** 
'** initialize structures and constants 
'** 
strComputer = "." 
Const BackupLogValue = 1     '** non-Zero flags system to perform Autoback of event logs when 'full' condition  exists 
Const RetainLogValue = -1    '** per Microsoft article, AutoBackup only works if Retain is set to 0xFFFFFFFF 
Const Key1 = "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\" 
Const Key2 = "\AutoBackupLogFiles" 
Const Key3 = "\Retention" 

Set WS = CreateObject("WScript.Shell") 
Set objSO = Wscript.StdOut 

objSO.WriteLine "*-------------------------" 
objSO.WriteLine "* AutoBackupLogFiles.vbs" 
objSO.WriteLine "* - use: check/correct status of Registry keys controlling AutoBackup of Event Log files" 

If Wscript.Arguments.Count = 0 Then  '** we didn't pass a cmd line argument, so assume FIX 

  strAns = "F" 
  objSO.WriteLine "* Running *-> FIX <-* operation" 

Else 

  strAns = UCase(WScript.Arguments.Item(0)) 
  If strAns <> "C" Then 
    strAns = "F" 
    objSO.Write "* Running *-> FIX <-* operation" 
  Else 
    objSO.Write "* Running CHECK ONLY operation" 
  End If 
     
  If Wscript.Arguments.Count = 2 Then  '** pull in the hostname (already defaulted to .) 
    strComputer = UCase(WScript.Arguments.Item(1)) 
    objSO.WriteLine " on host: " & strComputer 
  Else 
    objSO.WriteLine " on localhost" 
  End If 

End If 



objSO.WriteLine "*-------------------------" 
objSO.WriteBlankLines(1) 

RFlag = "Initial GetObject on " & strComputer 
Set objWMIService = GetObject("winmgmts:" _ 
    & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _ 
        & strComputer & "\root\cimv2") 
If Err <> 0 Then 
   ErrorHandler 
   
End If 
'** 
'** compile list of Event Logs 
'** 
RFlag = "Selecting Win32_NTEventLogFile" 
Set colLogFiles = objWMIService.ExecQuery _ 
    ("Select * from Win32_NTEventLogFile") 
If Err <> 0 Then 
   ErrorHandler 
End If 

'** 
'** - - - - - - - - - - - - - - - - - - - - - - - - 
'** 
'** For each event log in the ColLogFiles list, check the keys 
'** 
objSO.WriteLine "Beginning Registry Key Checks ..." 
   objSO.WriteBlankLines(1) 

For Each objLogfile in colLogFiles 

   objSO.WriteLine "Checking " & objLogFile.LogFileName & " Log Keys..." 

   objSO.Write " ..1 AutoBackupLogFiles Key -> "  
   RFlag = "Loop: ABLF key for " & objLogFile.LogFileName 
   AutoBackup = WS.RegRead(Key1 & objLogFile.LogFileName & Key2) 
   If AutoBackup = 0 Then  '** NOT correctly set 

      objSO.Write " NOT Correctly Set or does not exist (" & AutoBackup & ")" 
      If strAns = "F" Then 
        objSO.Write ", setting to " & BackupLogValue 
        WS.RegWrite Key1 & objLogFile.LogFileName & Key2, BackupLogValue, "REG_DWORD" 
        If err <> 0 Then 
          ErrorHandler 
        End If 
      End If 

   Else          '** the puppy was OK 

      objSO.Write "   ALREADY set to Backup (" & BackupLogValue & ")" 

   End If 

   objSO.WriteBlankLines(1) 

   objSO.Write " ..2 Retention Key -> " 
   RFlag = "Loop: Retention key for " & objLogFile.LogFileName 
   Retention = WS.RegRead(Key1 & objLogFile.LogFileName & Key3) 
   If Retention <> RetainLogValue Then  '** NOT correctly set 

      objSO.Write " NOT Correctly Set or does not exist (" & Retention & ")" 
      If strAns = "F" Then 
        objSO.Write ", setting to " & RetainLogValue 
        WS.RegWrite Key1 & objLogFile.LogFileName & Key3, RetainLogValue, "REG_DWORD" 
        If err <> 0 Then 
          ErrorHandler 
        End If 
      End If 

   Else          '** the puppy was OK 

      objSO.Write "   ALREADY set to Retain FOREVER (" & RetainLogValue & ")" 

   End If 

   objSO.WriteBlankLines(2) 

Next 

objSO.Close 

'** 
'** - - - - - - - - - - - - - - - - - - - - - - - - 
'** 

Sub ErrorHandler 
    objSO.WriteBlankLines(1) 
    objSO.WriteLine "*** An error occurred in module " & RFLAG 
    objSO.WriteLine "Error:      : " & Err 
    objSO.WriteLine "Error (hex) : &H" & Hex(Err) 
    objSO.WriteLine "Source      : " & Err.Source 
    objSO.WriteLine "Description : " & Err.Description 
    objSO.WriteBlankLines(1) 
    Err.Clear 
End Sub