Archive

Posts Tagged ‘Event Logs’

Backing Up Event Logs using Powershell

January 31, 2012 5 comments

I was recently asked to create a script that would backup certain event logs ( Application & Security ) to it’s native .evt format and then clear all events from the corresponding logs once complete.  This seemed simple enough although I didn’t recall seeing any parameters in either Get-WinEvent or any of the *-Eventlog cmdlets that provided this functionality.  Then I remembered that when something can’t be done using object specific cmdlet the next possible option is to explore the Win32_* classess.   So I used Get-WMIObject to query possible Win32_* classes that referenced Event Log.

Get-WMIObject Win32_*event* -List

The query produced the following results:

So the question now was which Win32 class to choose from.   I  narrowed it down to the Win32_NTEvent* classes and after some further examination determined that Win32_NTEventLogFile had a method called BackupEventLog.  I was able to make this determination by using Get-Member on the class.

Get-WMIObject Win32_NTEventLogFile | Get-Member

This query displayed all Properties and Methods of the Event Logs.  I’ve filtered the results to display only the first few Methods

The BackupEventLogFile method accepts one overload of System.String type which will be the name of the backup log file with an .evt extension.  The files were going to be backed up daily and then the Event Logs cleared of all events  so I needed to make sure the backup log files had unique names and decided to include the current date in the event log name.  I also needed to use a Foreach loop so as to run the code on several Event Logs in sequence.   I also included the following parameters to make the function more versitile:

 Param(
      $Computername = $ENV:COMPUTERNAME,
      [array]$EventLogs = @("application","security"),
      $BackupFolder = "C:\BackupEventLogs\"
      )

Logic was also added to create the $BackupFolder if it didn’t exist.

If(!( Test-Path $BackupFolder )) { New-Item $BackupFolder -Type Directory }

I called the function Clear-EventLogs and below is the complete script.

Function Clear-Eventlogs {            

 Param(
  $Computername = $ENV:COMPUTERNAME,
  [array]$EventLogs = @("application","security"),
  $BackupFolder = "C:\BackupEventLogs\"
  )            

 Foreach ( $i in $EventLogs ) {
 If(!( Test-Path $BackupFolder )) { New-Item $BackupFolder -Type Directory }
 $eventlog="c:\BackupEventLogs\$i" + (Get-Date).tostring("yyyyMMdd") + ".evt"
 (get-wmiobject win32_nteventlogfile -ComputerName $computername |
  Where {$_.logfilename -eq "$i"}).backupeventlog($eventlog)            

 Clear-EventLog -LogName $i            

 }# end Foreach            

}#end function            

Clear-Eventlogs

The results of running the script are the following log files:

Categories: Powershell Tags: ,

Powershell Objects and .PS1XML Files

January 9, 2012 1 comment

Anyone who uses powershell on a regular basis knows that the output of any powershell cmdlet is of an object type.  Powershell produces objects. For example let’s look at the objects produced by two cmdlets that essentially do the same thing: Get-Eventlog and Get-WinEvent.   The below example uses the GetType() method to display the object type for an eventlog.

(Get-Eventlog -List | Select -First 1).Gettype() | FT -auto
(Get-WinEvent -Listlog Application).Gettype() | FT -auto

Both produce different objects, Eventlog and EventLogConfiguration.  The output of these objects is associated with a powershell formating file (.ps1xml) which defines the properties they will display.

The example below shows the output as it pertains to Get-Eventlog and Get-Winevent.

(Get-Eventlog -List | Select -First 1)
(Get-WinEvent -Listlog Application)

Although they both reference the same event log (Application) they are configured to display different properties, even though some of them reference the same values, like Log and LogName or Entries and RecordCount.

I then was curious which formatting files were associate with each object type, so I decided to view which .ps1xml files existed and ran the following command to browse the $pshome directory and filter for only *.ps1xml files.

dir $pshome\* -include *.ps1xml

My next step was to parse these files using Select-String  for references to the object types (Eventlog and EventLogConfiguration) but decided that the process should be automated and created a function that would create a custom object with the properties of my choosing.   This would also be useful to demo for the workshop I’m putting together called “Using Powershell to View Events and Event Logs” (not sure I did the title so it may change shortly).

Anyway, the result of all this was the creation of the Get-EventLogBaseObjects function.

Function Get-EventLogBaseObjects {
 $Array = "Get-EventLog","Get-WinEvent"
 $global:newarray =@()                                                

     Switch ($Array) {                                                

 "Get-Eventlog" {
    $GetEventLog = (get-eventlog -list | Select -first 1).gettype()
    $XMLFile = Select-String -Path $PSHOME\*.ps1xml -Pattern $GetEventlog |
        Select -First 1
    $Obj = New-Object PSObject -Property @{
            Cmdlet = "Get-Eventlog"
            SystemType = $GetEventLog.UnderlyingSystemType
            XMLFile = $XMLFile.filename
            }
    $global:newarray += $obj
    }                                    

 "Get-WinEvent" {
    $GetWinEvent = (Get-WinEvent -Listlog Application).gettype()
    $XMLFile = Select-String -Path $PSHOME\*.ps1xml -Pattern $GetWinEvent |
        Select -First 1
    $Obj = New-Object PSObject -Property @{
            Cmdlet = "Get-WinEvent"
            SystemType = $GetWinEvent.UnderlyingSystemType
            XMLFile = $XMLFile.filename
            }
    $global:newarray += $obj
     }
 }
 write-output $global:NewArray | Select Cmdlet,SytemType,XMLFile |
        Format-Table -AutoSize
}                        

Get-EventLogBaseObjects
Categories: Powershell Tags: ,