I have a client who requires security event logs be kept. They enabled archive log retention on the Security Event Logs, but it kept filling up their C: drive.
To remedy this, I created a PowerShell script that moves these files when they are 7 days old to another location, and then used Task Schedule to automate the process. Here are the steps to do that.
The source folder where these logs are stored: C:\Windows\System32\winevt\Logs
The destination folder where they want the logs moved to: E:\Windows-System32-winevt-Logs
Created a PowerShell script for this process:
get-childitem -Path “c:\windows\system32\winevt\logs” Archive-Security*.evtx | where-object {$_.LastWriteTime -lt (get-date).AddDays(-7)} | move-item -destination “E:\Windows-System32-winevt-Logs” -Verbose
Created a new Task Scheduler task called AutoMove Security Logs Its Actions are set to run PowerShell and execute the following: -ExecutionPolicy Bypass C:\support\AutoMove_SecurityLogs.ps1