As a system administrator, this is our responsibility to back up and keep regular backups of Windows server event logs. Also, keep them stored on an external drive or cloud storage. We recommend backup event logs on daily basis and retaining at least one year of backup. Event logs help us for troubleshooting systems.
Here is a batch script to take windows logs backup and store them on the local drive.
Step 1 – Create Backup Directory
Create a backup directory named c:\backup for containing backups and c:\backup\logs for containing log files. You can use your own directory structure for backup.
Open a command prompt and run the below commands to create the directory structure.
mkdir c:\backup
mkdir c:\backup\logs
Step 2 – Create Backup Script
Now, create a batch script c:\backup\evt-backup.bat and copy the below script in this batch script. Change the BACKUP_PATH if you are using a different location for the backup directory.
rem Script starts here rem Timestamp Generator set BACKUP_PATH=c:\backup\logs rem Parse the date (e.g., Thu 02/28/2013) set cur_yyyy=%date:~10,4% set cur_mm=%date:~4,2% set cur_dd=%date:~7,2% rem Parse the time (e.g., 11:20:56.39) set cur_hh=%time:~0,2% if %cur_hh% lss 10 (set cur_hh=0%time:~1,1%) set cur_nn=%time:~3,2% set cur_ss=%time:~6,2% set cur_ms=%time:~9,2% rem Set the timestamp format set timestamp=%cur_yyyy%%cur_mm%%cur_dd%-%cur_hh%%cur_nn%%cur_ss%%cur_ms% wevtutil epl System %BACKUP_PATH%\system_%timestamp%.evtx wevtutil epl Application %BACKUP_PATH%\application_%timestamp%.evtx wevtutil epl Security %BACKUP_PATH%\security_%timestamp%.evtx rem End of Script
Step 3 – Execute Script Manullly
Let’s execute this script manually to test. Open Windows command prompt as Administrator. Navigate to the c:\backup
directory and execute the script like below:
evt-backup.bat
Then check, if event log backup files were created successfully.
Step 4 – Configure Script in Scheduler
Finally, configure this script in windows task schedulers to run it automatically on a regular interval. A daily backup is much sufficient for normal use systems.
Thanks for reading this article, I hope this script will help you to take an automatic backup of windows logs.
13 Comments
How to do i add an event that has a space
example
wevtutil epl Call Messaging %BACKUP_PATH%\call messaging_%timestamp%.evtx
This returns back a error message due to the space between call””messaging
I know this is an old post however, in my WIN 11 install, even when running with elevated cmd, still – Access Denied. Any suggestions? Thanks so very much.
Try to run as administrator prvileges.
Hi Team,
This script is working fine for me in Windows server 2012. In windows server 2016 I am getting application and system event logs backup only. Kindly share the script for Windows server 2016 to backup security logs too.
Thanks in Advance for the script.
Hi I am getting error while running the batch file.
C:\Backup\logs\wevtutil epl Application C:\backup\logs\application_8/01-15052427.evtx
Failed to export log Application. The system cannotfind the path specified.
OS : Windows 2008R2 STD
Kindly help me to resolve this issue.
Thanks in advance
Shankar D
Failed to export log Security. Access is denied.
script run as administrator, it will work
Failed to export log Security. Access is denied.
Hi,
Thank you for your script,
I was wondering if i can specify the date, i mean to export the eventlog in last 72 hours as example.?
I’d like to suggest that for many situations it might be better to use the clear log feature with backup.
wevtutil cl System /bu:”%BACKUP_PATH%system_%timestamp%.evtx”
This will create the same backup file as your script, but it will also clear the log so that you are not backing up the same log events the next time.
Hi rahul,
this is very simple and clean …
in your script, you mentioned about 3 events … but how can we know which event logs we have to observe among around 400 event types … can you suggest …
Hi LEAVE A REPLY
You can check name of logs in log properties and use Full Name to insert into script.
Example
wevtutil epl Microsoft-Windows-PrintService/Operational %BACKUP_PATH%\Operational_%timestamp%.evtx
Small but very useful script. Thanks for sharing with us….. keep it up