This is a little dirty Windows Powershell script which exports or backups Windows Eventlogs. The script creates a .evt file which can be used with the Windows Eventlog Viewer.
# Config
$logFileName = "Application" # Add Name of the Logfile (System, Application, etc)
$path = "C:\temp\" # Add Path, needs to end with a backsplash
# do not edit
$exportFileName = $logFileName + (get-date -f yyyyMMdd) + ".evt"
$logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName}
$logFile.backupeventlog($path + $exportFileName)
And with the next code it cleans up older exported Eventlogs.
# Deletes all .evt logfiles in $path
# Be careful, this script removes all files with the extension .evt not just the selfcreated logfiles
$Daysback = "-7"
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays($Daysback)
Get-ChildItem $Path | Where-Object { ($_.LastWriteTime -lt $DatetoDelete) -and ($_.Extension -eq ".evt") } | Remove-Item
UPDATE: If you wanna clean the Eventlog after the export you can do that by using the Clear-Eventlog cmdlet. (Thanks to Michel from server-talk.eu)
Clear-Eventlog -LogName $logFileName
And here the whole “script”
# Config
$logFileName = "Application" # Add Name of the Logfile (System, Application, etc)
$path = "C:\temp\" # Add Path, needs to end with a backsplash
# do not edit
$exportFileName = $logFileName + (get-date -f yyyyMMdd) + ".evt"
$logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName}
$logFile.backupeventlog($path + $exportFileName)
# Deletes all .evt logfiles in $path
# Be careful, this script removes all files with the extension .evt not just the selfcreated logfiles
$Daysback = "-7"
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays($Daysback)
Get-ChildItem $Path | Where-Object { ($_.LastWriteTime -lt $DatetoDelete) -and ($_.Extension -eq ".evt") } | Remove-Item
Clear-Eventlog -LogName $logFileName
Many of the customers do also like the cmdlet to clear the event log
Clear-EventLog -LogName System -ComputerName MyComputer. With this script they can export the log first and then clean ityep… true this makes sence
Thanks for sharing a very good innovative article
Hi Thomas,
Thanks for the article. It helped me a lot. But I’ve got one question. I cannot export and clear the Setup eventlog on Windows Server 2008 R2. I get this error in Powershell:
You cannot call a method on a null-valued expression.
At D:\beheer\scripts\backup_setup_log.ps1:8 char:24
+ $logFile.backupeventlog <<<< ($path + $exportFileName)
+ CategoryInfo : InvalidOperation: (backupeventlog:String) [], Runti
+ FullyQualifiedErrorId : InvokeMethodOnNull
Clear-EventLog : The Log name "Setup" does not exist in the computer "localhost".
At D:\beheer\scripts\backup_setup_log.ps1:9 char:15
+ Clear-Eventlog <<<< -LogName $logFileName
+ CategoryInfo : InvalidOperation: (:) [Clear-EventLog], InvalidOper
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.ClearEventLogCommand
Do you know why I'm not able to export and clear this eventlog? All the other eventlogs (Application, Security and System) don't have this issue. Thanks in advance and with kind regards,
Richy
Hallo Thomas,
ich versuche deine Abfrage um die EventID zu erweitern.
Leider sehe ich nicht wo der Fehler liegt:
# Config
$logFileName = “SYSTEM” # Add Name of the Logfile (System, Application, etc)
$EventID = 403
$path = “C:\Temp\” # Add Path, needs to end with a backsplash
# do not edit
$exportFileName = $logFileName + (get-date -f yyyyMMdd) + “.evt”
$logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName & $_.EventID -eq $EventID}
$logFile.backupeventlog($path + $exportFileName)
Thanks Thomas for the article.
@Ritchy, to read this eventlog you have to use the cmdlet get-winevent.
Try this : get-winevent -log setup
Marc.
could it be possibe to ceck the file size before it creates a backup.
Suppose if i want to take the backup only if reacheds upto 300 MB Space