none
Trying to create a powershell script for logs on Multiple computers in a domain RRS feed

  • Question

  • Hi so I currently have a script I have been running to get Application, Backup, and System Logs and convert them into CSV for easy use in importing them into SQL for parsing. 

    Currently it only works on a single machine or server. However I was wondering if it is possible to expand the code to it can grab those files from MULTIPLE computers on the domain all from a single script or at least from a single computers batch file.

    Example 

    Get-WinEvent -logname Microsoft-Windows-Backup | Export-CSV -path C:\Logs\backup.csv

    So the end goal would be to get winevent from ComputerA, ComputerB, ComputerC, and Send them all back to ComputerAs log drive, with a name that says which PC they came from.

    Any help? Thanks

    • Moved by Bill_Stewart Friday, March 15, 2019 7:33 PM This is not "scripts on demand"
    Wednesday, February 13, 2019 6:51 PM

All replies

  • If you carefully study the help for Get-WinEvent you will learn that it supports the parameter -ComputerName. So it's able to query other computers by itself.

    To query more than one computer you will have to create a loop iterating over a list of computer name.


    Live long and prosper!

    (79,108,97,102|%{[char]$_})-join''


    • Edited by BOfH-666 Wednesday, February 13, 2019 7:17 PM
    Wednesday, February 13, 2019 7:16 PM
  • You cannot easily export all properties to a CSV.  You must skip the "Message" property and many other fields must be converted for output.

    "Get-WinEvent" is a powerful tool for parsing event files.  The way this is normally done is to export a date range from these files and then use Get-Winevent to parse the files as needed.  Normally we archive these delta extracts by week or month.


    \_(ツ)_/

    Wednesday, February 13, 2019 7:18 PM
  • Here is how to get a backup of a log.

    function GetMilliseconds ([datetime]$date) {
        $ts = [datetime]::Now - $date
        [math]::Round($ts.TotalMilliseconds)
    }
    $startDate = GetMilliseconds('1/1/2019')
    $endDate = GetMilliseconds('2/1/2019')
    $backupFile = 'd:\logbackup\application\2019-01.evtx'
    $query = "*[System[TimeCreated[timediff(@SystemTime) >= $endDate] and TimeCreated[timediff(@SystemTime) <= $startDate]]]"
    wevtutil epl Application $backupFile /q:$query


    \_(ツ)_/


    • Edited by jrv Wednesday, February 13, 2019 7:53 PM
    Wednesday, February 13, 2019 7:52 PM