If you have trouble with the log being overwritten before you can read it and do not want to increase the size of the log further, you can use a scheduled PowerShell script to create regular exports. The script below creates csv files that can easily be imported to a database for further analysis.
The account running the scheduled task needs to be a local admin on the computer.
####################################################################################################################### # _____ __ ______ ______ __ __ ______ ______ _____ ______ ______ ______ # # /\ __-. /\ \ /\___ \ /\___ \ /\ \_\ \ /\ == \ /\ __ \ /\ __-. /\ ___\ /\ ___\ /\ == \ # # \ \ \/\ \ \ \ \ \/_/ /__ \/_/ /__ \ \____ \ \ \ __< \ \ __ \ \ \ \/\ \ \ \ \__ \ \ \ __\ \ \ __< # # \ \____- \ \_\ /\_____\ /\_____\ \/\_____\ \ \_____\ \ \_\ \_\ \ \____- \ \_____\ \ \_____\ \ \_\ \_\ # # \/____/ \/_/ \/_____/ \/_____/ \/_____/ \/_____/ \/_/\/_/ \/____/ \/_____/ \/_____/ \/_/ /_/ # # # # http://lokna.no # #---------------------------------------------------------------------------------------------------------------------# # -----=== Elevation required ===---- # #---------------------------------------------------------------------------------------------------------------------# # Purpose:Export and store the security event log as csv. # # # #=====================================================================================================================# # Notes: Schedule execution of tihis script every capturehrs hours - script execution time. # # Test the script to determine the execution time, add 2 minutes for good measure. # # # # Scheduled task: powershell.exe -ExecutionPolicy ByPass -File ExportSecurityEvents.ps1 # ####################################################################################################################### #Config $path = "C:\log\security\" # Add Path, end with a backslash $captureHrs = 20 #Capture n hours of data #Execute $now=Get-Date $CaptureTime = (Get-Date -Format "yyyyMMddHHmmss") $CaptureFrom = $now.AddHours(-$captureHrs) $Filename = $path + $CaptureTime + 'Security_log.csv' $log = Get-EventLog -LogName Security -After $CaptureFrom $log|Export-Csv $Filename -NoTypeInformation -Delimiter ";"
