Sign in
 
HomeLibraryLearnDownloadsRepositoryCommunityForumsBlog
Script Center >
Looking for a asript that would list/export a event logs info in a excel file.

Answered Looking for a asript that would list/export a event logs info in a excel file.

  • Tuesday, August 07, 2012 2:48 PM
     
     
    Sign In to Vote
    0

    Hello,

    How is everybody?

    I'm running a script that archives each servers .evt (sec/app/sys) to a dedicated location on a dedicated server.  Now, I would like to create a script that would export a archived .evt (example:Security - 08-06-2012-0848AM.evt) and list its entries in the csv vile.

    I'm not sure where to start from here and wanted to see if anyone could help.  CMD or PowerShell are the only options I would have.  Thx
     

All Replies

  • Tuesday, August 07, 2012 2:54 PM
     
     Answered
    Sign In to Vote
    0

    Fantastic script provided by jrv on this post:

    http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/d66c1bd7-0e61-4839-a5f6-cbe29661dccb

    Chris Please remember to mark correct answers and helpful post.


     
  • Tuesday, August 07, 2012 3:36 PM
     
     
    Sign In to Vote
    0

    That's a nice script but wouldn't work for me.  this particular script pulls the event logs via the Get-WmiObject and I already have this done with another script.  the reason why I use this specfic script of mine is because it's the only way to capture the SECURITY log.

    Now I don't want to combine scripts and looking for a separate script that could just grab a *.evt file from a specific location and import the data into a csv file

     
  • Tuesday, August 07, 2012 3:53 PM
     
     
    Sign In to Vote
    0

    If you scroll down a little on the thread he has an updated query that also includes the SECURITY log.

    Edit: If you must use your current script.  If you will post the script you are already using I can help you modify it so that it exports in CSV format so they can be more easily combined.

    Please remember to mark correct answers and helpful post.


     
  • Tuesday, August 07, 2012 3:59 PM
     
     
    Sign In to Vote
    0

    Below is the script I'm using and I'm trying to figure out how to export to a csv file when I would run it...  What do you think.. Thanks

    # Disabledomaincreds to 0
    $RegKey ="HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
    Set-ItemProperty -path $RegKey -name disabledomaincreds -value 0

    # Varialbes
    $Date = Get-Date -Format ddMMyyyy
    $LocalArchiveLocation2008 = "C:\Windows\System32\winevt\Logs"
    $LocalArchiveLocation2003 = "C:\Windows\System32\config\EventLogs"
    $Computer = "$ENV:COMPUTERNAME" | %{
      $Computer = $_
      Get-WMIObject Win32_NTEventLogFile -Computername $Computer -Filter "LogfileName='Application' OR LogfileName='Security' OR LogfileName='System'" | %{$_.PSBase.Scope.Options.EnablePrivileges = $True;

        # Event Log Push Location
        $Location = "\\ServerName\Logs\$Computer"
        if (!(test-Path $Location)) {
        md $Location
        }

        # System Created Log Archive Push Location
        $LocationArchive = "\\ServerName\Logs\$Computer\Archive"
        if (!(test-Path $LocationArchive)) {
        md $LocationArchive
        }

        # Save it
        $_.BackupEventLog("\\ServerName\Logs\$Computer\$($_.LogFileName) - $(Get-Date -f MM-dd-yyyy-hhmmtt).evt")

        # Move files with naming containing the word Archive, 2008
        get-childitem $LocalArchiveLocation2008  *Archive* | Move-Item -destination $LocationArchive

        # Move files with naming containing the word Archive, 2003
        get-childitem $LocalArchiveLocation2003  *Archive* | Move-Item -destination $LocationArchive

        # Clear it
        $_.ClearEventLog()
      }
    }

    # Disabledomaincreds to  1
    $RegKey ="HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
    Set-ItemProperty -path $RegKey -name disabledomaincreds -value 0

                            
     
  • Tuesday, August 07, 2012 4:28 PM
     
     
    Sign In to Vote
    0

    Get-WMIObject Win32_NTEventLogFile -Computername $Computer -Filter "LogfileName='Application' OR LogfileName='Security' OR LogfileName='System'" -EnableAll

    The method you are using won't work.

    ¯\_(ツ)_/¯

     
  • Tuesday, August 07, 2012 4:32 PM
     
     
    Sign In to Vote
    0

    You do NOT want to alter the LSA key. Why are you doing that.  It can only cause you  ttrouble and will not help you t oquery teh eventlogs.

    Please look closely at the thread that was refernced above,  It hasa  coplete explpanation of how to do the CSV export  CHoose teh filter and properties and you are set.  TRHe script you haev posted her wil probel not do what you need ewver without some serious repair.

    In the "Repository: there are a dozen or more scripts that archive the event logs in various ways.

    The code you posted will wipe out all of your event logs.  We NEVER clear event logs.  Archive by day, week or month oto a CSV.

    In WS2008 and later we can do extractions to EVT format.  You can also set the logs to auto-archive on a schedule.

    Most of what you are doing has been changed since WS2003.  The old methods are no longer needed or useful.

    ¯\_(ツ)_/¯


     
  • Tuesday, August 07, 2012 4:54 PM
     
     
    Sign In to Vote
    0

    The script as listed above works in our environment.  We are required to push a copy of the event-logs to a dedicated location and then clear out the logs on the server.  We have several polices that we can't modify and that particular script does it all.  It back up the three event logs on a dedicated location in a folder named by the server.  if there is no folder with the server name, then it will first create one.  After the archiving process, the local logs will be cleared.  Once cleared it will look if any system generated event archives are in place, if yes then it will push those to the dedicated path too before clearing them out.

    So, on the dedicated event archive server, every time the script runs, it names the *.evt with a specific nameing and time/ date stamp.

    I was looking for a script that would pull the information of, of these event logs and list them in a csv file.

     
  • Tuesday, August 07, 2012 4:55 PM
     
     
    Sign In to Vote
    0
    The LSA key is because we have a policy that is kind of tricky.  but this is a copy of the script and I really don't need the LSA part anymore. 
     
  • Tuesday, August 07, 2012 5:10 PM
     
     
    Sign In to Vote
    0

    That script has some serious errors in t.  I don't think it really works.

    The script posted on the link will extract to a CSV from any EVT source.    Just specify the file name.

    ¯\_(ツ)_/¯

     
  • Tuesday, August 07, 2012 5:11 PM
     
     
    Sign In to Vote
    0
    The LSA key is because we have a policy that is kind of tricky.  but this is a copy of the script and I really don't need the LSA part anymore. 

    Changing that key will do nothing unless you restart the computer.

    ¯\_(ツ)_/¯

     
  • Wednesday, August 08, 2012 1:51 PM
     
     
    Sign In to Vote
    0
    I found a way to write a snippet that would export the evt file to csv file.  I've modified my script and tried it out and it works fine.  The code is like universal one does specific actions on 2003 and 2008 servers.  Thanks for your input ... ...