Windows 2008 Server R2 Event log issue
We're migrating to 2008 R2. As we move our printers, it has become apparent that the old method of exporting print events from the system log used with 2003 Server and before no longer works (dumpel). I've run into a few problems, not the least of which is my limited scripting ability. All we need to do is to be able to export the Microsoft-Windows-PrintSer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi, is PSLogList able to work on 2008 R2?
http://technet.microsoft.com/en-us/sysinternals/bb897544
The -s switch should output to a CSV compatible format.
Regards,
Rob.
http://technet.microsoft.com/en-us/sysinternals/bb897544
The -s switch should output to a CSV compatible format.
Regards,
Rob.
ASKER
Thanks - I'll try this one out tomorrow. For anyone else with a similar issue, investigate the aforementioned wevtutil's qe function - I've succeeded in creating a command that'll execute a structured query from an xml file that will give me at least part of what I need (xml or text output to file). With any luck the new event log structure and formatting won't gum up PSLogList and I'll be able to extract a nice, simple CSV...
Thanks for the tip, Rob - I'll let you know how it goes!
Thanks for the tip, Rob - I'll let you know how it goes!
Sure, see how you go. I was more hoping you could just use PSLogList straight up, and not wevtutil, but see what you can come up with. I don't have access to a 2008 R2 server at the moment, although I can if need be.
Rob.
Rob.
ASKER
So far, no luck. The PsLogList doesn't seem to be able to locate the registry key:
HKLM\Software\Microsoft\Wi
where the specifics of the particular log I need to access reside.
It read the system log just fine, so it may just be a matter of getting the path syntax right...
HKLM\Software\Microsoft\Wi
where the specifics of the particular log I need to access reside.
It read the system log just fine, so it may just be a matter of getting the path syntax right...
Hmmm, I don't know anything about how the Event Logging works in Vista, Windows 7, or Server 2008, but, I did find this:
http://blogs.msdn.com/b/ntdebugging/archive/2009/09/08/exploring-and-decoding-etw-providers-using-event-log-channels.aspx
In my 2008 server, I right-click the PrintService/Operational log, and click Enable Log, but it doesn't show up in the Event Trace Sessions in Computer Management. I ran this in PowerShell -->
Get-WinEvent -ListProvider "print*"
but it didn't show the "Operational" log as having a provider with which to publish events. According to the above article, "Enabling" a log should automatically put the trace on it.
Anyway, while I keep looking, there's a couple of output commands in that article that may help you get what you need, although they all appear to be local commands, and not able to be executed remotely (presumably because it's not "published").
Regards,
Rob.
http://blogs.msdn.com/b/ntdebugging/archive/2009/09/08/exploring-and-decoding-etw-providers-using-event-log-channels.aspx
In my 2008 server, I right-click the PrintService/Operational log, and click Enable Log, but it doesn't show up in the Event Trace Sessions in Computer Management. I ran this in PowerShell -->
Get-WinEvent -ListProvider "print*"
but it didn't show the "Operational" log as having a provider with which to publish events. According to the above article, "Enabling" a log should automatically put the trace on it.
Anyway, while I keep looking, there's a couple of output commands in that article that may help you get what you need, although they all appear to be local commands, and not able to be executed remotely (presumably because it's not "published").
Regards,
Rob.
I just noticed that in the Performace --> Data Collector Sets --> Event Trace Sessions --> EventLog-Application data collector, under the Trace Providers tab is the Microsoft-Windows-PrintSer
Hmmm, the best I can do is run this PowerShell command:
Get-WinEvent -LogName "Microsoft-Windows-PrintSe
There's probably more options for Get-WinEvent for cleaner output, but I don't know PowerShell. If you want to run against a remote computer, try
Get-WinEvent -ComputerName "RemotePC" -LogName "Microsoft-Windows-PrintSe
It seems it's otherwise not possible to query this log using VBScript or PSLogList.
Regards,
Rob.
Get-WinEvent -LogName "Microsoft-Windows-PrintSe
There's probably more options for Get-WinEvent for cleaner output, but I don't know PowerShell. If you want to run against a remote computer, try
Get-WinEvent -ComputerName "RemotePC" -LogName "Microsoft-Windows-PrintSe
It seems it's otherwise not possible to query this log using VBScript or PSLogList.
Regards,
Rob.
ASKER
Ended up scripting wevtutil in PS. Much massaging of output required, though.
ASKER
Cheers!