Scripting Question

Copy Windows Event Logs to Network Share

11/30/2017 1423 views
I am running an online Kscript to copy event logs to a network shared folder and I don't know why it is not working. I run the CMD script manually (run as different user) and I have no problems. This is the command in the CMD script:

xcopy %SystemRoot%\System32\Winevt\Logs\System.evtx \\172.##.##.##\eventlogs$ /Y /Q

I am running the script as saved credentials in kace which is a domain account with access to both the local files as well as the network share. During testing, I have opened full permissions to everyone so there should be no issue with permissions.

The KACE script logs do not provide any useful information because it basically says it ran successfully. However, it is saying 0 files copied. Not sure why since when I run it manually (run as the same account kace is using) the script runs successfully and copies the file.
C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\111>xcopy C:\WINDOWS\System32\Winevt\Logs\System.evtx \\172.##.##.##\eventlogs$ /Y /Q
0 File(s) copied


Answer Summary:
0 Comments   [ + ] Show comments


Answer Chosen by the Author

I actually found a much better solution to this:

I tried xcopy, copy and even Powershell's copy-item and none of them worked. However, wevtutil does the job perfectly!
Answered 12/01/2017 by: verasme
Senior White Belt

All Answers

how about the Policy to create the logs and upload it to the KACE, then you have the logs directly attached to the right machine. (Scripting | Configuration Policies)
Answered 11/30/2017 by: Nico_K
Red Belt

  • Not an option. We tried to do that and after a few days the K1000 was running out of disk space. We're talking about hundreds of machines that will be uploading the event logs daily. So we had to find another server with enough storage so we can dump the logs in it. Another thing I didn't like about that approach is that it is just a basic dump of the logs and doesn't provide all the information, not to mention how cumbersome those files are to read because of the way they are formatted. So I eventually developed my own Powershell script to dump a more comprehensive event log history. This resulted in larger TXT files uploaded to K1000. However, the evtx files are much more compressed so they take up less space and have much more info and can be opened directly in the MMC, a much better way to review logs in my opinion. So we want to upload evtx files instead of processing a TXT export.
Three ways I tried to run this:
  1. As logged on user - got access denied
  2. As system user - got "invalid drive specification" 0 files copied
  3. With elevated command prompt - worked as it should

Look at @looshus answer on this answer and see if it works. I have not actually tested it with a kace script.

Answered 11/30/2017 by: five.
Second Degree Green Belt

This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ