Blog Post

Powershell: Calculating Seven Day Retention for Security Event Logs

,

I needed to figure out how much space was required to maintain 7 days of event log entries for the Security event log on my SQL Servers. Basically, this is a simple calculation where you check the size of the current event log, find the earliest event, and calculate how many hours of coverage you have. You then extrapolate that to 7 full days (168 hours). It's a simple script and I'm sure it could be more efficient, but it works.

  1.   
  2. $computer = "MyComputer"  
  3. $cumulativeSize = 0   
  4. $numDays = 0   
  5. $secSize = 0   
  6. $earliestDate = get-date 12/31/2020   
  7.   
  8. $colLogs = get-wmiobject -class "Win32_NTEventlogFile" -namespace "root\CIMV2" -computername $computer  
  9.   
  10. foreach ($objLog in $colLogs) {   
  11.   if ($objLog.LogFileName -eq "Security")   
  12.   {   
  13.     $secSize = $objLog.MaxFileSize / (1024 * 1024)   
  14.     $colEvents = get-eventlog -log security -computername $computer  
  15.     $objEvent = $colEvents | select-object -Last 1   
  16.     #foreach ($objEvent in $colEvents)   
  17.     #{   
  18.         #if  ($objEvent.TimeWritten -lt $earliestDate)   
  19.         #{   
  20.             $earliestDate = $objEvent.TimeWritten   
  21.         #}   
  22.     #}   
  23.   }    
  24.   else    
  25.   {   
  26.     $cumulativeSize += $objLog.MaxFileSize   
  27.   }   
  28. }   
  29.   
  30.   $currentDate = get-date   
  31.   $hourDifference = ($currentDate - (get-date $earliestDate)).TotalHours   
  32.   $logSize = 168 * $secSize / $hourDifference  
  33.   if ($logSize -lt $secSize)   
  34.   {   
  35.     $logSize = $secSize  
  36.   }   
  37.        
  38.   write-host "Computer: "$computer  
  39.   write-host "Old Security Event Log size: "$secSize  
  40.   write-host "Earliest Security Event:"$earliestDate  
  41.   write-host "New Security Event Log size: "$logSize  
  42.   write-host "Total size of other Logs: ", ($cumulativeSize / (1024 * 1024))   
  43.      

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating