Link to home
Start Free TrialLog in
Avatar of JB4375
JB4375Flag for United States of America

asked on

Write Specific Events to File

I have a script that captures event properties for the following event ID's: 560,562,567,577,578. I need to know how to output this to a CSV file.

Also, is there a way to append ONLY previously unwritten items? For example: If I write the all the entries on the first day, and then how would I append the new items that have occurred since then?

Below is the code.

Thanks!!
#Connect to Remote Computer Event Log.
$logs = [System.Diagnostics.EventLog]::GetEventLogs(RemotePC)

# Connect to Security Log
$colItems = $logs |? {$_.log -eq 'Security'}
$entries = $colItems.Entries

#Filter for these events
$events = @(560,562,567,577,578) 

foreach ($item in $entries){
if ( $events -contains $item.EventID ){

#Write/Format Data on One Line
$item.MachineName + " " + $item.EventID + " " +  $item.TimeWritten + " " + $item.Category + " " + $item.EntryType + " " + $item.UserName + " " + $item.Data + " " + $item.Source + " " + $item.TimeGenerated
Write-Host	
}
}

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of JB4375
JB4375
Flag of United States of America image

ASKER

Hey Chris,
The answer is:
A. I was just sent to a Powershell training class despite wanting to wait a few months until the 2.0 class was available.
B. Having issues getting the necessary patches to load on my PC and not wanting to do a complete overhaul due to the amount of software I have installed.
C. All of the above.
Answer: C
I'm going to give it another shot. I'm quickly realizing the 2.0 has to many of these overhauls to miss out on. Also, the date filtering sounds like it has some potential.
I'm either going to do that, or run the script every 24 hours and incorporate the date into the name of the file. Then they can worry with going over the data.
I may come back up with another question later but this will give me something to go on.
Thanks!!
 
Avatar of JB4375
JB4375
Flag of United States of America image

ASKER

Thanks Chris... great assist as always!!
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Get-EventLog isn't all that much more efficient (operationally) than the method you're using above, it's really just something for simplicity. If you want to stick with this and add in some date filtering I'll happily help you finish it off :)

If you go for date filtering, you might import the last file, then use the last date from that to act as a starting point for filter the next.

Chris