Home > Powershell > Backing Up Event Logs using Powershell

Backing Up Event Logs using Powershell

I was recently asked to create a script that would backup certain event logs ( Application & Security ) to it’s native .evt format and then clear all events from the corresponding logs once complete.  This seemed simple enough although I didn’t recall seeing any parameters in either Get-WinEvent or any of the *-Eventlog cmdlets that provided this functionality.  Then I remembered that when something can’t be done using object specific cmdlet the next possible option is to explore the Win32_* classess.   So I used Get-WMIObject to query possible Win32_* classes that referenced Event Log.

Get-WMIObject Win32_*event* -List

The query produced the following results:

So the question now was which Win32 class to choose from.   I  narrowed it down to the Win32_NTEvent* classes and after some further examination determined that Win32_NTEventLogFile had a method called BackupEventLog.  I was able to make this determination by using Get-Member on the class.

Get-WMIObject Win32_NTEventLogFile | Get-Member

This query displayed all Properties and Methods of the Event Logs.  I’ve filtered the results to display only the first few Methods

The BackupEventLogFile method accepts one overload of System.String type which will be the name of the backup log file with an .evt extension.  The files were going to be backed up daily and then the Event Logs cleared of all events  so I needed to make sure the backup log files had unique names and decided to include the current date in the event log name.  I also needed to use a Foreach loop so as to run the code on several Event Logs in sequence.   I also included the following parameters to make the function more versitile:

 Param(
      $Computername = $ENV:COMPUTERNAME,
      [array]$EventLogs = @("application","security"),
      $BackupFolder = "C:\BackupEventLogs\"
      )

Logic was also added to create the $BackupFolder if it didn’t exist.

If(!( Test-Path $BackupFolder )) { New-Item $BackupFolder -Type Directory }

I called the function Clear-EventLogs and below is the complete script.

Function Clear-Eventlogs {            

 Param(
  $Computername = $ENV:COMPUTERNAME,
  [array]$EventLogs = @("application","security"),
  $BackupFolder = "C:\BackupEventLogs\"
  )            

 Foreach ( $i in $EventLogs ) {
 If(!( Test-Path $BackupFolder )) { New-Item $BackupFolder -Type Directory }
 $eventlog="c:\BackupEventLogs\$i" + (Get-Date).tostring("yyyyMMdd") + ".evt"
 (get-wmiobject win32_nteventlogfile -ComputerName $computername |
  Where {$_.logfilename -eq "$i"}).backupeventlog($eventlog)            

 Clear-EventLog -LogName $i            

 }# end Foreach            

}#end function            

Clear-Eventlogs

The results of running the script are the following log files:

Advertisements
Categories: Powershell Tags: ,
  1. Nigel
    July 11, 2012 at 11:34 am

    useful, thanks saved me a lot of time, I added a command to purge achives after 90 days

    Get-Childitem “C:\BackupEventLogs” -recurse | where{($_.LastWriteTime -lt (get-Date).adddays(-90))} | remove-item

  2. Alex
    October 20, 2012 at 3:23 am

    Hi

    I am new in Poweshell. Do I copy the above to a text file and save it as ClearEventLogs.ps file? and then how do I run this?

    Please help

    Thanks
    Alex

    • joeroc
      February 22, 2013 at 11:55 pm

      Alex,

      Yes. You can copy the text and put into a file saved using the .ps extension.

      Joe

  3. July 11, 2014 at 9:50 pm

    You ought to take part in a contest for
    one of the highest quality blogs on the web.
    I most certainly will recommend this web site!

  4. Doug
    April 6, 2015 at 6:45 pm

    Hey this is great, how would I add the hostname or computername to the file name?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: