locked
Archive previous Windows System logs (event viewer) RRS feed

  • Question

  • Hi,

    we have over 500 servers and i want to export all the servers previous day's System event logs to the following location. I'm using below VB script to copy one of server successfully However, I want similar script to export privies days logs for all my 500 servers. Is there any way this can be achieved using PowerShell? Does anyone have help me on this?

    we have over 500 servers and i want to export all the servers security logs

    1. every month create one folder --> ex Dec14
    2. copy all the previous day system events and export to UNC path--> ex: \\NASstorage$\SYS Logs\Server1-14-12-14

    PS: once copy successed I don't want to clear them

    below us my VB script:
    ------------------------------
    Dim DestServer
    ' Put in the UNC path for where you want the logs to be stored
    DestServer = "\\NASstorage$\SYS Logs\"

    'Create the Time variables
    'sDate=Right("0" & Day(Date),2) _
    '& "-" & Right("0" & Month(Date),2) _
    '& "-" & Right(Year(Date),2)

    sDate= Right("0" & Month(Date),2) _
    & "-" & Right(Year(Date),2)

    sTime = DatePart("h", Now) & DatePart("n", Now)

    set oFSO = CreateObject("Scripting.FileSystemObject")


    'If correct folder doesn't exist, make it
    if Not oFSO.FolderExists(DestServer & sDate) then
       set oFolder = oFSO.CreateFolder(DestServer & sDate )
    end if

    'Gets the log files for this machine
    strComputer = "."

    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
            & strComputer & "\root\cimv2")

    Set colLogFiles = objWMIService.ExecQuery _
        ("Select * from Win32_NTEventLogFile where LogFileName='System'")


    'This section goes out and gets the hostname this is run on for us.

    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

    Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48)

    For Each objItem in colItems
      strHOSTNAME = objItem.Name
    NEXT

    sDate1=Right("0" & Day(Date),2) _
    & "-" & Right("0" & Month(Date),2) _
    & "-" & Right(Year(Date),2)

    'Now archive the logs and clear them
    if oFSO.FolderExists(DestServer & sDate) then
      For Each objLogfile in colLogFiles
        strBackupLog = objLogFile.BackupEventLog _
            (DestServer & sDate & "\"  & strHOSTNAME & "_" & objLogFile.LogFileName & "_" & sDate1 & ".evt")
          Next
    end if

    Monday, December 15, 2014 3:02 PM

Answers

  • Hi JRV,

    Thanks for your response, as you can see i'm also looking for PowerShell

    Is there any way this can be achieved using PowerShell? Does anyone have help me on this?


    Look in the repository for numerous scripts that archive event logs.   I recommend researching how event logs are designed and the various methods for archiving.

    ¯\_(ツ)_/¯

    • Proposed as answer by AnnaWY Sunday, December 28, 2014 4:09 AM
    • Marked as answer by AnnaWY Monday, December 29, 2014 6:38 AM
    Friday, December 19, 2014 5:09 AM
  • Hi Bill,

    In addotion, To archive the eventlogs in powershell, the script below is for your reference, which can query security event logs on computers in 7 days, please note need the admin permission to remote access computers:

    $comps="comp1","comp2"
    $d=(Get-Date).date
    
    Foreach($c in $comps){
    Get-WinEvent -FilterHashtable @{logname='security'; StartTime=($d.AddDays(-7))} -ComputerName $c
    }

    To export the result please refer to the cmdlet Export-Csv, to copy folder via powershell, please refer to the cmdlet copy-item.

    To Use PowerShell Cmdlet to Filter Event Log for Easy Parsing, please refer to this article:

    http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/24/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing.aspx

    If there is anything else regarding this issue, please feel free to post back.

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Proposed as answer by AnnaWY Sunday, December 28, 2014 4:09 AM
    • Marked as answer by AnnaWY Monday, December 29, 2014 6:38 AM
    Tuesday, December 23, 2014 10:39 AM

All replies

  • I highly recommend that you use PowerShell for this.  A PowerShell workflow can successfully do this very quickly.  VBScript will take hors to do this if the servers are busy.

    The script you posted does not export the event log.  It does a complete backup.  It will take forever on large servers for 500 servers.

    Use Get-WinEvent if all of your servers are WS2008 or later.


    ¯\_(ツ)_/¯

    Monday, December 15, 2014 3:33 PM
  • Hi JRV,

    Thanks for your response, as you can see i'm also looking for PowerShell

    Is there any way this can be achieved using PowerShell? Does anyone have help me on this?

    Friday, December 19, 2014 5:04 AM
  • Hi JRV,

    Thanks for your response, as you can see i'm also looking for PowerShell

    Is there any way this can be achieved using PowerShell? Does anyone have help me on this?


    Look in the repository for numerous scripts that archive event logs.   I recommend researching how event logs are designed and the various methods for archiving.

    ¯\_(ツ)_/¯

    • Proposed as answer by AnnaWY Sunday, December 28, 2014 4:09 AM
    • Marked as answer by AnnaWY Monday, December 29, 2014 6:38 AM
    Friday, December 19, 2014 5:09 AM
  • Hi Bill,

    In addotion, To archive the eventlogs in powershell, the script below is for your reference, which can query security event logs on computers in 7 days, please note need the admin permission to remote access computers:

    $comps="comp1","comp2"
    $d=(Get-Date).date
    
    Foreach($c in $comps){
    Get-WinEvent -FilterHashtable @{logname='security'; StartTime=($d.AddDays(-7))} -ComputerName $c
    }

    To export the result please refer to the cmdlet Export-Csv, to copy folder via powershell, please refer to the cmdlet copy-item.

    To Use PowerShell Cmdlet to Filter Event Log for Easy Parsing, please refer to this article:

    http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/24/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing.aspx

    If there is anything else regarding this issue, please feel free to post back.

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Proposed as answer by AnnaWY Sunday, December 28, 2014 4:09 AM
    • Marked as answer by AnnaWY Monday, December 29, 2014 6:38 AM
    Tuesday, December 23, 2014 10:39 AM