Share via

Taking Backup of Event Viewer Once or on a Scheduled Basis

  • Article

Why do we need to take the Backup of the Event Viewer:
**
**These days as we know a server is hosting huge number of applications and services, the Event Viewer logs can come in handy if we want to troubleshoot any performance issues. So for doing that we need to take the backup of the Application and System log on regular intervals.

Procedure to take the backup:

  1. Open a notepad and make a batch file with the following commands. Here in the current scenario storing my backups in F:\Application Log Backups. Change your folder accordingly.

F:
Cd "Application Log Backups"
psloglist.exe -g "F:\Application Log Backups\AppEvent.Evt" Application
psloglist.exe -g "F:\Application Log Backups\System.Evt" System
ren AppEvent.evt "AppEventNEW_%date:~4,2%%date:~7,2%%date:~12,2%_%time:~0,2%%time:~3,2%%time:~6,2%.evt"
ren System.evt "SystemEventNEW_%date:~4,2%%date:~7,2%%date:~12,2%_%time:~0,2%%time:~3,2%%time:~6,2%.evt"

2. Place the  PSloglist.exe in the folder you want to take the backup (Here it is F:\Application Log Backups). PSloglist is a MSFT Utility which is going to take the backup of the Event Viewer. You can download it from the MSFT website
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

  1. The 3rd and 4th lines in the CMD are taking the backup of the Event Viewer. And 5th and 6th rename the file according to current Date and Time.

  2. The batch we have just prepared need to be executed on a frequent basis for backing up of the event viewer, so you can schedule a Task from Windows which is going to run this batch file every 4-6 (as per your requirement)

  3. If you want to delete the backups after certain days, you can create another batch file which will delete the files according to the date.
     
    Cleaning up Old files: Prepare antother batch file with the below lines

***F:
Cd "F:\Applciation Log Backups"
forfiles /d -9 /m *.evt /c "cmd /c del @fname.evt
*** 
In the above script 9 signifies files older than 9 days will be deleted. So change the number to the number of days required.