/build/static/layout/Breadcrumb_cap_w.png

Copy Windows Event Logs to Network Share

I am running an online Kscript to copy event logs to a network shared folder and I don't know why it is not working. I run the CMD script manually (run as different user) and I have no problems. This is the command in the CMD script:

xcopy %SystemRoot%\System32\Winevt\Logs\System.evtx \\172.##.##.##\eventlogs$ /Y /Q

I am running the script as saved credentials in kace which is a domain account with access to both the local files as well as the network share. During testing, I have opened full permissions to everyone so there should be no issue with permissions.

The KACE script logs do not provide any useful information because it basically says it ran successfully. However, it is saying 0 files copied. Not sure why since when I run it manually (run as the same account kace is using) the script runs successfully and copies the file.
C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\111>xcopy C:\WINDOWS\System32\Winevt\Logs\System.evtx \\172.##.##.##\eventlogs$ /Y /Q
0 File(s) copied

pUhkGs.png



2YepU1.png
Asked 6 years ago 1740 views
0 Comments   [ + ] Show comments

Answers (3)

Answer Summary:
Posted by: Nico_K 6 years ago
Red Belt
1
how about the Policy to create the logs and upload it to the KACE, then you have the logs directly attached to the right machine. (Scripting | Configuration Policies)
Comments:
  • Not an option. We tried to do that and after a few days the K1000 was running out of disk space. We're talking about hundreds of machines that will be uploading the event logs daily. So we had to find another server with enough storage so we can dump the logs in it. Another thing I didn't like about that approach is that it is just a basic dump of the logs and doesn't provide all the information, not to mention how cumbersome those files are to read because of the way they are formatted. So I eventually developed my own Powershell script to dump a more comprehensive event log history. This resulted in larger TXT files uploaded to K1000. However, the evtx files are much more compressed so they take up less space and have much more info and can be opened directly in the MMC, a much better way to review logs in my opinion. So we want to upload evtx files instead of processing a TXT export. - verasme 6 years ago
Posted by: five. 6 years ago
Second Degree Green Belt
1
Three ways I tried to run this:
  1. As logged on user - got access denied
  2. As system user - got "invalid drive specification" 0 files copied
  3. With elevated command prompt - worked as it should

Look at @looshus answer on this answer and see if it works. I have not actually tested it with a kace script.

Posted by: verasme 6 years ago
Senior White Belt
1

Top Answer

I actually found a much better solution to this:



I tried xcopy, copy and even Powershell's copy-item and none of them worked. However, wevtutil does the job perfectly!
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ