Domain Controller Zip Security Archiv

Written by Arne Tiedemann on Tuesday August 13, 2019

In some environment, it is necessary to enable event log archiving for local event logs. This article describes how to identify the archives and zip the archives to save storage place.

This script will get all archives from the event log and zip the files and then move the files to a safe place for later analysis.

##################################################################################
# Variables
##################################################################################
$ZipDate = (Get-Date).AddDays(-1)
$ZipDate = Get-Date -Date $ZipDate -Format 'yyyy-MM-dd'

$PathLogs = 'C:\Windows\System32\winevt\Logs'
$PathRoot = ('C:\Temp\Archive\{0}' -f $env:COMPUTERNAME)
$PathTemp = ('{0}\{1}' -f $PathRoot, $ZipDate)
$PathDestination = '\\<Server>.<Tld>\eventlogArchiv$'
$ZipName = ('{0}\{1}_{2}.zip' -f $PathDestination, $ZipDate, $env:COMPUTERNAME)

##################################################################################
# Functions
##################################################################################
function ZipFiles( $Filename, $SourceFolder )
{
   Add-Type -Assembly System.IO.Compression.FileSystem
   $compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
   [System.IO.Compression.ZipFile]::CreateFromDirectory($SourceFolder,
        $Filename, $compressionLevel, $false)
}

##################################################################################
# Script
##################################################################################
# Get Files from Remote Server
$Files = Get-ChildItem -Path $PathLogs -Filter 'Archive-*'

if ($Files.Count -gt 0) {

    # Test Path for Archive Files
    if (-not(Test-Path -Path $PathTemp -ErrorAction SilentlyContinue)) {
        $null = New-Item -Path $PathTemp -ItemType Directory -Force
    }
}

# Move all files to Destination
foreach($i in $Files) {
    $i.Fullname
    Move-Item -Path $i.FullName -Destination $PathTemp -Force        
}


# If folder exist make a zip file of this folder
if (Test-Path -Path $PathTemp -ErrorAction SilentlyContinue) {
    
    # Remove file if exists
    if (Test-Path -Path $ZipName -ErrorAction SilentlyContinue) {
        Remove-Item -Path $ZipName -Force
    }

    # Zip file
    ZipFiles -Filename $ZipName -SourceFolder $PathTemp
    
    # When successfully remove Dir
    if ($?) {
        Remove-Item -Path $PathTemp -Force -Recurse
    }
}