none
Help with Powershell script to gather eventlogs from all Domain Controllers RRS feed

  • Question

  • I am trying to write a script to grab the last 5 days of application, security and system logs from all domain controllers. The script runs but only pulls the logs from the local server. The $Computer variable has all of my DC's so it is querying fine. I assume it is an issue with my ForEach-Object line but it doesn't error out. See the script below.

    $log = "Application"
    $date = get-date -format MM-dd-yyyy
    $now = get-date
    $subtractDays = New-Object System.TimeSpan 5,0,0,0,0
    $then = $Now.Subtract($subtractDays)
    $Computers = Get-ADDomainController -filter *

    ForEach-Object -InputObject $Computers  -Process {Get-EventLog -LogName $log -After $then -Before $now -EntryType Error | select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File $env:TEMP\Applicationlog.htm}

    Invoke-Expression $env:TEMP\Applicationlog.htm

    Thanks,

    Rich

    Friday, August 15, 2014 8:59 PM

Answers

  • Also, you're missing the -ComputerName parameter in the Get-EventLog Cmdlet. 

    I would re-write the loop part of the script like this:

    $log = "Application"
    $date = get-date -format MM-dd-yyyy
    $now = get-date
    $subtractDays = New-Object System.TimeSpan 5,0,0,0,0
    $then = $Now.Subtract($subtractDays)
    $Computers = Get-ADDomainController -filter *
    
    foreach ($Computer in $computers) {
        Get-EventLog -ComputerName $Computer -LogName $log -After $then -Before $now -EntryType Error |
            select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File .\Applicationlog.htm -append
    }
    
    Invoke-Expression .\Applicationlog.htm


    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

    Friday, August 15, 2014 9:31 PM

All replies

  • You need to add -append switch at the end of the Out-File cmdlet at the end of your pipeline statement.

    Currently, you're over-writing the applicationlog.htm file over and over..


    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

    Friday, August 15, 2014 9:23 PM
  • Also, you're missing the -ComputerName parameter in the Get-EventLog Cmdlet. 

    I would re-write the loop part of the script like this:

    $log = "Application"
    $date = get-date -format MM-dd-yyyy
    $now = get-date
    $subtractDays = New-Object System.TimeSpan 5,0,0,0,0
    $then = $Now.Subtract($subtractDays)
    $Computers = Get-ADDomainController -filter *
    
    foreach ($Computer in $computers) {
        Get-EventLog -ComputerName $Computer -LogName $log -After $then -Before $now -EntryType Error |
            select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File .\Applicationlog.htm -append
    }
    
    Invoke-Expression .\Applicationlog.htm


    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

    Friday, August 15, 2014 9:31 PM
  • Thanks. That worked!
    Friday, August 15, 2014 9:52 PM
  • Learning how to easily deal with dates will make you life much better:

    $today=[datetime]::Today
    $then=$today.AddDays(-5)


    ¯\_(ツ)_/¯

    Friday, August 15, 2014 10:37 PM
  • jrv, I'm in South Jersey, do you attend any Posh user group meetings or anything like that? I'd like to meet you sometime..

    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

    Friday, August 15, 2014 11:00 PM