Posts RSS Comments RSS 253 Posts and 411 Comments till now

Backup-EventLog

## UPDATED… ADDED a EVT format Script as Well ##

I saw a post on EE that backups up the eventlogs on Server using VBScript… I wanted to see what I could do with Powershell and this is what I came up with. I put this together pretty quick, so not much Error checking or anything, but the vbscript was 207 lines long without comments.

Basically it does the following
– Takes a BackupLoccation as a Parameter
– Takes a List file or a -FromAD switch
– List gets the computers from a file
– FromAD gets computers from AD
– Creates a Backup folder Named -Logs-
– Like Server1-Logs-09110750
– Processes Each Event Log and backs up to a File
– Clears Log
– I put the output of the script on the bottom.
– NOTE: Security Logs Take awhile. I assume this because I am Generating Events by Reading the Log.

Param($BackupLocation,$list,$FromAD)
function Get-ADComputers{
    $filter = "(&(objectcategory=computer))"
    $root = [ADSI]""
    $props = "dNSHostName","sAMAccountName"
    $Searcher = new-Object System.DirectoryServices.DirectorySearcher($root,$filter,$props)
    $Searcher.PageSize = 1000
    $Computers = $Searcher.findAll() | %{$_.properties[‘dnshostname’]}
    $Computers
}
function Ping-Server {
   Param([string]$server)
   $pingresult = Get-WmiObject win32_pingstatus -f "address=’$Server’"
   if($pingresult.statuscode -eq 0) {$true} else {$false}
}

if($FromAD){$computers = Get-ADComputers}
else{if($list){$computers = get-Content $list}else{Write-Host "Please Provide List";return}}

foreach($computer in $computers)
{
    $Folder = "{2}\{1}-Logs-{0:MMddyymm}" -f [DateTime]::now,$computer,$backupLocation
    Write-Host "+ Processing Server $Computer"
    new-Item $folder -type Directory -force  | out-Null

    if(Ping-Server $computer)
    {
        Write-Host "  + Created Backup Folder $folder"
        $eventlogs = [System.Diagnostics.EventLog]::GetEventLogs($computer)
        foreach($log in $eventlogs)
        {
            $LogFile = "{0}\{1}.csv" -f $Folder,$log.Log
            Write-Host "  + Processing $($log.Log) Log"
            Write-Host "    – Backing up $($log.Log)"
            $logEntries = $log.Entries | %{"{0},{1},{2},{3},{4}" -f $_.TimeGenerated,$_.EntryType,$_.Source,$_.EventID,$_.Message}
            $logEntries | out-File $LogFile -enc ASCII -width 500
            Write-Host "    – Backed up to $logFile"
            Write-Host "    – Clearing Log $($Log.Log)"
            $log.Clear()
        }
        Write-Host
    }
    else
    {
        Write-Host "Server $Computer failed PING!" -foregroundcolor red
    }
}

For those that perfer EVT format and WMI…. I left the Clear part commented

Param($BackupLocation,$list,$FromAD)

function Get-ADComputers{
    $filter = "(&(objectcategory=computer))"
    $root = [ADSI]""
    $props = "dNSHostName","sAMAccountName"
    $Searcher = new-Object System.DirectoryServices.DirectorySearcher($root,$filter,$props)
    $Searcher.PageSize = 1000
    $Computers = $Searcher.findAll() | %{$_.properties[‘dnshostname’]}
    $Computers
}
function Ping-Server {
   Param([string]$server)
   $pingresult = Get-WmiObject win32_pingstatus -f "address=’$Server’"
   if($pingresult.statuscode -eq 0) {$true} else {$false}
}

if($FromAD){$computers = Get-ADComputers}
else{if($list){$computers = get-Content $list}else{Write-Host "Please Provide List";return}}

foreach($computer in $computers)
{
    if(ping-server $computer)
    {
        $Folder = "{1}-Logs-{0:MMddyymm}" -f [DateTime]::now,$computer
        Write-Host "+ Processing Server $Computer"
        New-Item "$backupLocation\$folder" -type Directory -force  | out-Null
        If(!(Test-Path "\\$computer\c$\LogBackups")){New-Item "\\$computer\c$\LogBackups" -type Directory -force | out-Null}
        $Eventlogs = Get-WmiObject Win32_NTEventLogFile -ComputerName $computer
        Foreach($log in $EventLogs)
        {
            $path = "\\{0}\c$\LogBackups\{1}.evt" -f $Computer,$log.LogFileName
            $result = ($log.BackupEventLog($path)).ReturnValue
            Copy-Item $path -dest "$backupLocation\$folder" -force
            #if($result -eq 0){$log.ClearEventLog()}
        }
    }
}

NOTE: Shortly after writing this… I found this little tibit… it seems to have been around since SP3 of Win2000

Found it Here
http://blogs.msdn.com/spatdsg/default.aspx

AutoBackupLogFiles – backs up the event logs “Using this entry causes the Event Log service to automatically clear a full event log and to back up the log file. ”
http://support.microsoft.com/kb/312571

5 Responses to “Backup-EventLog”

  1. on 13 Sep 2007 at 5:41 pmAnonymous

    NOTE: Shortly after writing this

  2. on 14 Sep 2007 at 8:39 amBrandon

    Ok.. to clarify “I found” what I meant was Dean told me 🙂

  3. on 21 Jul 2009 at 8:31 ammarc carter

    I’ve been running into issues with my x64 servers…

    The problem I’m running into is when trying to create a backup (.evt) of the event log on a x64 server. I’m unable to resolve the path for a log file unless I use the WMI class Win32_NTEventLogFile. Which isn’t a terrible thing, unfortunetly Win32_NTEventLogFile doesn’t seem to know about the system logs on my x64 servers (example results below) which reside in WoW64 (not system32) folder.

    [Win32_NTEventLogFile]
    LogfileName
    ———–
    Internet Explorer

    [Get-EventLog]
    Name
    —-
    Application
    Internet Explorer
    Security
    System

    Is there a similar .Net property to LogfileName that I can use when calling BackupEventLog in order to grab the file path of each event log?

    The only properties returned by get-eventlog (that I am aware of) are…
    [Properties]
    Container
    EnableRaisingEvents
    Entries
    Log
    LogDisplayName
    MachineName
    MaximumKilobytes
    MinimumRetentionDays
    OverflowAction
    Site
    Source
    SynchronizingObject

  4. on 21 Jul 2009 at 10:02 amtshell

    on the .NET object Log or LogDisplayname should be the same as LogFileName on Win32_NTEventLogFile

  5. on 23 Jul 2009 at 9:13 ammarc carter

    That’s what I thought too, but it doesn’t.

    http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlog_properties.aspx
    EventLog.Log = Gets or sets the name of the log to read from or write to.
    EventLog.LogDisplayName = Gets the event log’s friendly name.

Trackback this post | Feed on Comments to this post

Leave a Reply

You must be logged in to post a comment.