The problem: How to automatically remove or prune IIS logs?
The solution:  Microsoft Endpoint Configuration Manager and Compliance Baselines! 

At Synergy Tech we are big fans of Microsoft Endpoint Configuration Manager (SCCM) and our team spend a considerable amount of time deploying and managing many SCCM environments.  As an incredibly powerful and flexible platform for distribution of apps/software, operating systems deployment, patching and all around device management it’s the swiss army knife of endpoint and device management.  So it was the clear go-to for resolving our log issues.

While Internet Information Services (IIS) logs are a helpful way of reviewing and tracking issues in your web application, enabling logging can generate a fair bit of disk utilization over time due to the perpetual nature of log generation & log rollover.  There are countless scripts and scheduled tasks available to effectively prune these logs, however we wanted to find a way to dynamically manage this task as new IIS servers were added into the environment and the ability to easily tweak/change settings as required across multiple (sometimes 100’s) of IIS Servers. Enter SCCM Compliance Baselines:

Navigate to Assets and Compliance Right-click Configuration Items and select Create Configuration Item

Provide a name for the CI, then click Next

Select the Windows versions that this CI will apply to, then click Next

Click New to create a new compliance setting

Provide a setting name and set the Setting type to Script and Data Type to String Click on Add Script to enter the discovery script

Copy and paste the following script. The $LogAge value sets the maximum age for the log files.   The -Recurse options ensures that all subfolders are processed   The output from this script is contained in the $LogCount variable. A device will be marked as compliant if the count is 0 (i.e. no logs files are older than 30 days)

$Filter = "*.log" $LogAge = 30
$LogCount = (Get-Childitem -path:$LogPath -File -Filter:$Filter -Recurse | Where-Object {($_.LastWriteTime -lt (Get-Date).AddDays(-$LogAge))} | Measure-Object).Count
Write-Output $LogCount

Click OK to save the script

Click Add Script to provide the remediation. This is the script that will run if the $LogCount variable exceeds 0

Copy and paste the following script. The script will delete those log files with an aged > the value set by the $LogAge variable. Make sure this value is set the same across the Discovery and Remediation scripts

$Filter = "*.log"
$LogAge = 30 Get-Childitem -Path:$LogPath -File -Filter:$Filter -Recurse | Where-Object {($_.LastWriteTime -lt (Get-Date).AddDays(-$LogAge))} | Remove-Item

Click OK to save the script

Click on the Compliance Rules tab then click New

Provide a rule name and set the compliance rule as shown. Click OK.

Click OK to save the rule

Click Next to move to the next step

Click Next

Review the settings then click Next

The next step is to create a new Configuration Baseline

Provide a name then click Add. Select Configuration Items

Select the new configuration item, then click Add

Click OK once the item has been assed to the baseline

Click OK to save the baseline

The next step is to create a new device collection which the baseline will be deployed to. A membership query will be added to this to capture all servers with the IIS Role installed.
Provide the details for the new collection, then click Next

Click Add Rule then select Query Rule

Provide a name for the query, then click Edit Query Statement

Click on Show Query Language

Copy and paste the query into the editor

select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SERVICE.Name = "W3SVC"

Click OK to save the query

Click Next

Review the settings then click Next to create the device collection

Navigate back to the configuration baseline created earlier, right click and select Deploy then Configuration Baseline

Follow the 4 steps to:

Add the CB – Cleanup IIS Logs baseline
Enable Remediate noncompliant rules and Allow remediation outside the maintenance window
Set the schedule
Click OK to deploy

Spread the love