通过

Getting Remote Event Logs

  • 项目

Here's a quick-and dirty script to save event logs via LogParser.

 

function Get-RemoteEventLog {
    ##
    ## SYNTAX
    ## Get-RemoteEventLog [-computer <string>] [-log <string>]
    ## [-logpath <string>] [-logParserPath <string>] [-clause <string>]
    ## [-day <int>] | [-help]
    ##
    ## DESCRIPTION
    ## Saves Event Log from remote machine via LogParser.exe as CSV (to
    ## %TEMP% folder by default).
    ##
    ## PARAMETERS
    ## -computer <string>
    ## Computer from which to download Event Log. Default: localhost.
    ##
    ## -log <string>
    ## Event Log to save. Default: Application
    ##
    ## -logPath <string>
    ## Full/path/to/saved-log.csv. Default: %TEMP% folder, named
    ## <computer>-<log>-<timestamp in yyyyMMddhhmmss format>.csv
    ##
    ## -logParserPath <string>
    ## Full/path/to/logparser.exe. Default: network share for
    ## LogParser 2.2 package (the EXE, DLL, etc.)
    ##
    ## -clause <string>
    ## Filtering clause. Default: "(EventTypeName LIKE 'Warn%' OR
    ## EventTypeName LIKE 'Error%')". Note the beginning 'WHERE' is
    ## not part of the argument. Set to $null to get INFO and SUCCESS
    ## log entries as well as ERROR and WARNING.
    ##
    ## -day <int>
    ## Additional filter for date. Default: 1 day. Set to 0 to get
    ## all days in log.
    ##
    ## -help
    ## Show this text and exit.

    param(
        [string]$computer = "$env:computerName",
        [string]$log = 'Application',
        [string]$logPath,
        [string]$logParserPath = '\\path\to\Log Parser 2.2\LogParser.exe',
        [string]$clause = "(EventTypeName LIKE 'Warn%' OR EventTypeName LIKE 'Error%')",
        [int]$day = 1,
        [switch]$help
    );
   
    if ($help) {
        ((Get-Content function:\Get-RemoteEventLog).ToString().Split("`n") | Select-String "^\s+##") -replace '^\s+##\s?';
        return;
    }
   
    $dateStamp = Get-Date -Format "yyyyMMddhhmmss";
    if (!$logPath) { $logPath = "$env:temp\$computer-$log-$datestamp.csv"; }
    if ($day -ge 0) {
        if ($clause) { $clause += " AND"; }
        $start = Get-Date ((Get-Date) - (New-TimeSpan -Days $day)) -format 'yyyy-MM-dd hh:mm:ss';
        $clause += " (TimeWritten >= '$start')";
    }
    if ($clause) { $clause = "WHERE $clause"; }
    $query = "SELECT * INTO '$logPath' FROM \\$computer\$log $clause";
    Write-Verbose "query: '$query'";
    $output = & $logParserPath -i:evt -fulltext:off -o:csv -tabs:off $query;
    Write-Verbose "output: '$output'";
    if (Test-Path $logPath) {
        $logPath;
    } else {
        Write-Warning "Unable to create $logPath.";
    }

}

Comments

  • Anonymous
    October 06, 2011
    Why don't publishing it in the TechNet Gallery?