通过

Getting Event Logs with wevtutil.exe

  • 项目

A long time ago, I wrote a painful way to export event logs (to CSV) on Server 2003, which lacks wevtutil.exe.  Well, here’s the flip side of the coin.

Also, I wrote a simple wrapper to get the topmost event log names.  It’s really just Get-EventLog –ComputerName $ComputerName –List | Select-Object MachineName, Log.  Still, that’s a lot to type (and to remember), and I’m hoping that Get-EventLogName is easier:

 function Export-EventLog 
{

    param (
        [string[]]$ComputerName = @($env:ComputerName),
        [string[]]$LogName = @('System', 'Application'),
        [String]$Path = "$home\Desktop\EventLogs"
    );

    $baseName = $MyInvocation.MyCommand.Name;

    $dateStamp = Get-Date -Format "yyyyMMdd";

    if (!(Test-Path -Path $Path))
    {
        New-Item -ItemType Directory -ErrorAction Stop -Path $Path | Out-Null;

    } # if (!(Test-Path -Path $Path))
    
    $Path = (Resolve-Path -Path $Path).ProviderPath;

    foreach ($_computerName in $ComputerName)
    {
        foreach ($_logName in $LogName)
        {
            $logFileBaseName = "$_computerName-$_logName-$dateStamp.evtx";
            $logFileRemoteName = "\\$_computerName\c$\Windows\temp\$logFileBaseName";
            $logFileLocalName = "$Path\$logFileBaseName";

            Write-Progress $baseName "exporting $logFileBaseName";
            wevtutil.exe epl $_logName "c:\windows\temp\$logFileBaseName" /ow:True /r:$_computerName;


            if (Test-Path -Path $logFileRemoteName) 
            {
                Write-Progress $baseName "Copying $logFileRemoteName";
                Copy-Item -Path $logFileRemoteName -Destination $logFileLocalName;
            
                if (Test-Path -Path $logFileLocalName)
                {
                    $logFileLocalName;
                
                } # if (Test-Path -Path $logFileLocalName)
                else
                {
                    Write-Warning "$basename failed to copy $logFileRemoteName to $logFileLocalName";

                } # if (Test-Path -Path $logFileLocalName)
                
            } # if (Test-Path -Path $logFileRemoteName)
            else
            {
                Write-Warning "$basename failed to export $_logName on $_computerName to $logFileRemoteName";

            } # if (Test-Path -Path $logFileRemoteName)
        
        } # foreach ($_logName in $LogName)
        
    } # foreach ($_computerName in $ComputerName)
    
} # function Export-EventLog 

function Get-EventLogName
{
    param
    (
        [string[]]$ComputerName = @($env:ComputerName)
    );

    Get-EventLog -List -ComputerName $ComputerName |
    Select-Object -Property @{
        n = 'ComputerName';
        e = { 
            $_.MachineName;
        } # n = 'ComputerName';
    }, Log

} # function Get-EventLogName