This is a little dirty Windows PowerShell script which exports or backups Windows Eventlogs. The script creates a .evt file which can be used with the Windows Eventlog Viewer.
# Config $logFileName = "Application" # Add Name of the Logfile (System, Application, etc) $path = "C:\temp\" # Add Path, needs to end with a backsplash # do not edit $exportFileName = $logFileName + (get-date -f yyyyMMdd) + ".evt" $logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName} $logFile.backupeventlog($path + $exportFileName)
And with the next code it cleans up older exported Eventlogs.
# Deletes all .evt logfiles in $path # Be careful, this script removes all files with the extension .evt not just the selfcreated logfiles $Daysback = "-7" $CurrentDate = Get-Date $DatetoDelete = $CurrentDate.AddDays($Daysback) Get-ChildItem $Path | Where-Object { ($_.LastWriteTime -lt $DatetoDelete) -and ($_.Extension -eq ".evt") } | Remove-Item
UPDATE: If you wanna clean the Eventlog after the export you can do that by using the Clear-Eventlog cmdlet. (Thanks to Michel from server-talk.eu)
Clear-Eventlog -LogName $logFileName
And here the whole “script”
# Config $logFileName = "Application" # Add Name of the Logfile (System, Application, etc) $path = "C:\temp\" # Add Path, needs to end with a backsplash # do not edit $exportFileName = $logFileName + (get-date -f yyyyMMdd) + ".evt" $logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName} $logFile.backupeventlog($path + $exportFileName) # Deletes all .evt logfiles in $path # Be careful, this script removes all files with the extension .evt not just the selfcreated logfiles $Daysback = "-7" $CurrentDate = Get-Date $DatetoDelete = $CurrentDate.AddDays($Daysback) Get-ChildItem $Path | Where-Object { ($_.LastWriteTime -lt $DatetoDelete) -and ($_.Extension -eq ".evt") } | Remove-Item Clear-Eventlog -LogName $logFileName
Also check out my blog post about deleting files older than a specific date using PowerShell.
Tags: .evt, Application, Backup, Backupeventlog, cleanup, Delete, Eventlog, Eventlogs, Export, export eventlog, Extension, logfile, logfiles, Microsoft, PowerShell, ps, Remove, System, Windows Powershell Last modified: January 28, 2019
Many of the customers do also like the cmdlet to clear the event log
Clear-EventLog -LogName System -ComputerName MyComputer
. With this script they can export the log first and then clean it :)yep… true this makes sence :)
Thanks for sharing a very good innovative article
Hi Thomas,
Thanks for the article. It helped me a lot. But I’ve got one question. I cannot export and clear the Setup eventlog on Windows Server 2008 R2. I get this error in Powershell:
You cannot call a method on a null-valued expression.
At D:\beheer\scripts\backup_setup_log.ps1:8 char:24
+ $logFile.backupeventlog <<<< ($path + $exportFileName)
+ CategoryInfo : InvalidOperation: (backupeventlog:String) [], Runti
+ FullyQualifiedErrorId : InvokeMethodOnNull
Clear-EventLog : The Log name "Setup" does not exist in the computer "localhost".
At D:\beheer\scripts\backup_setup_log.ps1:9 char:15
+ Clear-Eventlog <<<< -LogName $logFileName
+ CategoryInfo : InvalidOperation: (:) [Clear-EventLog], InvalidOper
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.ClearEventLogCommand
Do you know why I'm not able to export and clear this eventlog? All the other eventlogs (Application, Security and System) don't have this issue. Thanks in advance and with kind regards,
Richy
Hallo Thomas,
ich versuche deine Abfrage um die EventID zu erweitern.
Leider sehe ich nicht wo der Fehler liegt:
# Config
$logFileName = “SYSTEM” # Add Name of the Logfile (System, Application, etc)
$EventID = 403
$path = “C:\Temp\” # Add Path, needs to end with a backsplash
# do not edit
$exportFileName = $logFileName + (get-date -f yyyyMMdd) + “.evt”
$logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName & $_.EventID -eq $EventID}
$logFile.backupeventlog($path + $exportFileName)
Thanks Thomas for the article.
@Ritchy, to read this eventlog you have to use the cmdlet get-winevent.
Try this : get-winevent -log setup
Marc.
could it be possibe to ceck the file size before it creates a backup.
Suppose if i want to take the backup only if reacheds upto 300 MB Space
How could I add the time stamp? I need to export the Applications and System every half hour. I don’t want the events to over write. also how do I the host name of the server so each file has hostname, date and time stamp.
Well here you can work with get-date and add this to a variable which you can set with the filename
Really helpful! thanks a lot
cheers
Hi
Could you please help me, I need export events from security but each one with its details for examWorkstationNameple TargetUserName,