locked
Scripting Guys need your help RRS feed

  • Question

  • Hello All,

    I have a script which is working absolutely fine in workgroup(Windows logs backup) - windows server 2012 but if i run in domain environment found error and not able to pull security logs. only pulling application and system with error.

    Script is here,

    Function Server-Eventlogs {            

     Param(
      $Computername ="$ENV:COMPUTERNAME.$ENV:USERDNSDOMAIN",
      [array]$EventLogs = @("application","security","system"),
      $BackupFolder = "C:\Eventvwr\"
      )            

     Foreach ( $i in $EventLogs ) {
     If(!( Test-Path $BackupFolder )) { New-Item $BackupFolder -Type Directory }


    $eventlog="C:\Eventvwr\$Computername" +"_"+$i+"_"+(Get-Date -Format "yyyyMMdd")+ ".evt"


      ##$eventlog="D:\Eventvwr\$i" + (Get-Date).tostring("yyyyMMdd") + "$Computername" + ".evt"

     (Get-wmiobject win32_nteventlogfile -ComputerName $Computername| 
      Where {$_.logfilename -eq "$i"}).backupeventlog($eventlog)            

     ##Clear-EventLog -LogName $i            

     }# end Foreach            

    }#end function  

    Server-Eventlogs

    Error is here 

    You cannot call a method on a null-valued expression.
    At C:\Users\Administrator\Desktop\backupscriptfinal.ps1:18 char:2
    +  (Get-wmiobject win32_nteventlogfile -ComputerName $Computername|
    +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull

    Will appreciate for your help.....

    Cheers!

    • Moved by Bill_Stewart Monday, April 20, 2015 7:17 PM Off-topic/poor quality question
    Monday, December 8, 2014 3:09 PM

Answers

  • Here is a sample of what you will have to do.  It still will fail under many different scenarios.  Designing the error handling for complext tasks is not trivial.

    Function Backup-Eventlogs {            
        Param(
            $Computername=$ENV:COMPUTERNAME,
            $EventLogs=@('application','security','system'),
            $BackupFolder='c:\ELBackups'
        )            
        Begin{
            $datestring=Get-Date -Format 'yyyyMMdd'
    	}
        
        Process{
    foreach($computer in $Computername){
    $remotefolder='\\{0}\{1}' -f $computer, $BackupFolder.Replace(':','$') If(!(Test-Path $remoteFolder)){ New-Item $remoteFolder -Type Directory }
    foreach($logname in $EventLogs){ Try{ $EventLog=Get-wmiobject win32_nteventlogfile -ComputerName $computer -Filter "LogFileName='$logname'" -ea Stop                     $filename='{0}\{1}_{2}_{3}.evt' -f $BackupFolder,$computer,$logname,$datestring
    Write-Host "Backing up $logname to $filename on $computer" -ForegroundColor green $EventLog.BackupEventlog($filename) } Catch{ Write-Host "$computer $logname $_" -ForegroundColor red } } } } } Backup-Eventlogs


    ¯\_(ツ)_/¯






    • Edited by jrv Monday, December 8, 2014 5:35 PM
    • Proposed as answer by Valeras Friday, December 12, 2014 1:49 PM
    • Marked as answer by Just Karl Tuesday, April 28, 2015 10:43 PM
    Monday, December 8, 2014 5:26 PM

All replies

  • Since you're working in a Windows Domain and mentioned the security logs, I can't help but wonder a couple things. One, are you running the function with a user that's a local admin on the computer in which the function is running against? Two, did you right-click, Run as administrator on the console or ISE - whichever you're using - before running your function? To begin with, make sure both are true.
    Monday, December 8, 2014 3:50 PM
  • 1st:

    It's a DC- so no local admin, running in domain admin account only

    2nd: Yes elevated command prompt/ Run as admin

    Monday, December 8, 2014 4:16 PM
  • You cannot runthis against $ENV:USERDNSDOMAIN since that is not a computer.

    The folder tha tthis will be backed up to is on the remote machine.  THere are other issue.

    Look in Gallery for scripts that do mass bakups. YOu will eventually see what the issues are.

    Normally we never clear event logs.  We set them  to appropriate size for server role and allow them to wrap or, better,we set them for a time and let them wrap.  TO save the logs we would schedule an export of data by timeframe like weekly or monthly.

    Most just do controlled log extracts of importand events.


    ¯\_(ツ)_/¯

    Monday, December 8, 2014 5:09 PM
  • Here is a sample of what you will have to do.  It still will fail under many different scenarios.  Designing the error handling for complext tasks is not trivial.

    Function Backup-Eventlogs {            
        Param(
            $Computername=$ENV:COMPUTERNAME,
            $EventLogs=@('application','security','system'),
            $BackupFolder='c:\ELBackups'
        )            
        Begin{
            $datestring=Get-Date -Format 'yyyyMMdd'
    	}
        
        Process{
    foreach($computer in $Computername){
    $remotefolder='\\{0}\{1}' -f $computer, $BackupFolder.Replace(':','$') If(!(Test-Path $remoteFolder)){ New-Item $remoteFolder -Type Directory }
    foreach($logname in $EventLogs){ Try{ $EventLog=Get-wmiobject win32_nteventlogfile -ComputerName $computer -Filter "LogFileName='$logname'" -ea Stop                     $filename='{0}\{1}_{2}_{3}.evt' -f $BackupFolder,$computer,$logname,$datestring
    Write-Host "Backing up $logname to $filename on $computer" -ForegroundColor green $EventLog.BackupEventlog($filename) } Catch{ Write-Host "$computer $logname $_" -ForegroundColor red } } } } } Backup-Eventlogs


    ¯\_(ツ)_/¯






    • Edited by jrv Monday, December 8, 2014 5:35 PM
    • Proposed as answer by Valeras Friday, December 12, 2014 1:49 PM
    • Marked as answer by Just Karl Tuesday, April 28, 2015 10:43 PM
    Monday, December 8, 2014 5:26 PM
  • Thanks JRV!

    Scenario is very simple,

    I have a DC(i.e- cbtnugget.local) and I wants to take backup of old logs daily and will store it in backup folder.

    No remote and nothing.

    I have defined a size limit of Application, Security, System logs.. once full will archive it, do not over right

    %SystemRoot%\System32\Winevt\Logs

    Will try your sample script and will come back if any help is require

    Tuesday, December 9, 2014 3:56 PM
  • For many reasons that is a very bad way to manage event logs.  It will not be very useful in the future.  Logs need to remain online for troubleshooting.  Clearing logs repeatedly is a very bad idea as it erases the information needed to fix problems.

    If you want a daily record just extract the days events to a file.  It is much faster and more useful.


    ¯\_(ツ)_/¯

    Tuesday, December 9, 2014 5:34 PM