Hey all! You all know how to do EventLog forwarding to a centralized server and you're doing it, right? Some GPO's, centralized server somewhere with a lots of disk to store old EventLog files (*.evtx) but how to make sure that your disk space wont run out?
Ok, lets say that you calculated enough disk space for x months of *.evtx's to store, doesn't need to be just so exact 90 or 180 days but it's enough for you to store some 100GB of logs. And you want the logs to roll so oldest one will be deleted if free disk space is less than 5 percentage. It's accurate enough for now.
You can do this in a single-liner but readability and maintenance is always a nice feature in PS scripts too so here's my quick'n dirty solution I run as scheduled task.
Cheers, Ari
$freePercentageLimit = 95
$diskStat = Get-WmiObject –Class Win32_Volume -Filter "DriveLetter='D:'" | select Capacity,FreeSpace,@{Label='FreePercentage';Expression={($_.FreeSpace/$_.Capacity)*100}}
if ($diskStat.FreePercentage -le $freePercentageLimit) {
Get-ChildItem -Path 'D:\Event Log Forwarding' -Filter '*.evtx' | Sort LastWriteTime | select -First 1 | Remove-Item -Force
}
No comments:
Post a Comment