• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2347
  • Last Modified:

Windows 2008 EventLog Export

The ps script exports the event log with all details to an text file.
The code was tested in windows server 2008 R2 and windows 7 and it works fine.
if the ps script is used in 2008 or vista the event log details will not exported

any commends
# BKWBEvents.ps1
$inipath="c:\!AMC\log"
$outpath="c:\!AMC\snd"

function add2outfile ($a2ofstring)
{ 
 process
 {
   add-content "$outpath\WindowsBackupEvents.txt" $a2ofstring
   # write-host $a2ofstring
 }
}

#
$d1=(get-date)
$d1s=$d1.ToString("yyyyMMddHHmmss")
if ( -not(test-path "$inipath\Backup-WindowsBackup.ini") )
  { 
    set-content "$inipath\Backup-WindowsBackup.ini" $d1s
  }
#
$d2s="00010101000000"
$d2s=$d2s.insert(0,(get-content "$inipath\Backup-WindowsBackup.ini" -totalcount 1))
$d2=(get-date -year $d2s.substring(0,4) -month $d2s.substring(4,2) -day $d2s.substring(6,2) -hour $d2s.substring(8,2) -minute $d2s.substring(10,2) -second $d2s.substring(12,2))
#
set-content "$inipath\Backup-WindowsBackup.ini" $d1s
#


$start_time = $d2
# # # Server2008 R2 / Windows7
###$evtlst = Get-WinEvent -ErrorAction:SilentlyContinue -Oldest -FilterHashtable @{ logname="Microsoft-Windows-Backup"; StartTime=$start_time }
# # #

# # # Server2008 / Windows Vista
$evtlst = Get-WinEvent -Oldest -ProviderName "Microsoft-Windows-Backup" | where {$_.timecreated -ge $start_time}
# # #


if ($evtlst)
{
#
set-content "$outpath\WindowsBackupEvents.txt" ""
#
foreach ($evt in $evtlst) 
  { add2outfile("[WBEvent]")
    add2outfile("ProviderName = "+$evt.ProviderName)
    add2outfile("MachineName = "+$evt.MachineName)
    add2outfile("Level = "+$evt.Level)
    add2outfile("LevelDisplayName = "+$evt.LevelDisplayName)
    add2outfile("Opcode = "+$evt.Opcode)
    add2outfile("OpcodeDisplayName = "+$evt.OpcodeDisplayName)
    add2outfile("TimeCreated = " + (get-date -date $evt.TimeCreated -format "s") )
    add2outfile("ID = "+$evt.ID)
    add2outfile("Message = "+$evt.Message)
    add2outfile("")
    add2outfile("[WBEvent.Detail]")
    $e = [xml]$evt.toXML()
    foreach ( $z in $e.event.eventdata.data )
      {
        add2outfile(""+$z.name+ " = "+$z."#text")
      }
    #export-clixml "$outpath\WBEvents1.txt" -InputObject $evt.properties -depth 9
    add2outfile("")
    add2outfile("")
  }
}

Open in new window

0
jesaja
Asked:
jesaja
  • 8
  • 8
  • 2
2 Solutions
 
Netman66Commented:
What version of Powershell?  I suspect it's 2.0 and the other OS are 1.0.

0
 
Netman66Commented:
0
 
jesajaAuthor Commented:
Sorry I have to correct my descrption of the error.


Powershell is on all Systems Version 2.0 as I check it with get-host.

The command "$evtlst = Get-WinEvent -Oldest -ProviderName "Microsoft-Windows-Backup" | where {$_.timecreated -ge $start_time}" runs on both systems

In Windows 2008 the output fields: LevelDisplayName, OpcodeDisplayName, Message, [WBEvent.Detail] are empty but in R2 the output is correct.

=> Output example:

Windows 2008 R2 Output:
----------------------------------
[WBEvent]
ProviderName = Microsoft-Windows-Backup
MachineName = server1.lan.local
Level = 3
LevelDisplayName = Warnung
Opcode = 0
OpcodeDisplayName = Info
TimeCreated = 2010-04-26T20:22:31
ID = 51
Message = Am Sicherungsspeicherort ist nur wenig freier Speicherplatz verfügbar. Bei weiteren Sicherungen, die an diesem Speicherort gespeichert werden sollen, tritt möglicherweise ein Fehler auf, da nicht genügend freier Speicherplatz zur Verfügung steht.

[WBEvent.Detail]
VolumeFriendlyName = F:
VolumeAccessPath = F:


Windows 2008 Output:
-----------------------------
[WBEvent]
ProviderName = Microsoft-Windows-Backup
MachineName = srv01.dichter.local
Level = 4
LevelDisplayName =
Opcode = 2
OpcodeDisplayName =
TimeCreated = 2010-04-27T05:30:00
ID = 754
Message =

[WBEvent.Detail]
 =

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Netman66Commented:
Dot Net is at version 3.5 on the 2008 server?

0
 
jesajaAuthor Commented:
yes, 3.5 is installed
0
 
Netman66Commented:
Is there a localization difference between servers?  

I'm trying to contact one of our Powershell MVPs to see if he could pipe in here.

0
 
jesajaAuthor Commented:
no location difference

maybe Get-WinEvent has in Windows 2008 different syntax
0
 
Netman66Commented:
According to the help files, your command should be the same.  I'm not sure why only partial information is populated on the 2008 box.  Was that entire package I linked to installed?  There are some providers that get added along with Powershell too.

0
 
jesajaAuthor Commented:
the update to powershell 2.00 was already applied (not from me)  but  just to make sure I downloaded the msu but setup tells that is can't be installed on the system. thus it is already installed
0
 
jesajaAuthor Commented:
Hi netman66, did you get in touch with your MVPs jet?
0
 
Netman66Commented:
Just made contact.  Hopefully, he can step up now.

I'll keep you posted.
0
 
Netman66Commented:
He should be able to jump in later on today.  Please hang tight.

0
 
marco_shawCommented:
I haven't found a single authoritative source, but I do see this:
PS> get-help get-winevent -full
...
Note: Get-WinEvent requires Windows Vista, Windows Server 2008 R2, or later versions of Windows. And, it requires the Microsoft .NET Framework 3.5 or a later version.
...

So, I'm reading from that: "works with Vista desktop client or newer and Server 2008 R2 servers or newer".  That wouldn't include Server 2008.  I'm slightly surprised since I understood that basically Vista=Server 2008 and Windows 7=Server 2008 R2 at least from a kernel perspective.

If that's correct, I suspect the underlying framework isn't there in Server 2008 for you to get access to those other properties.

I'll keep trying to see if I can find a definite answer that supports my assumption.
0
 
jesajaAuthor Commented:
Thanks anyway, if I know it is not working with PS this way, maybe with with VBS script
0
 
marco_shawCommented:
I'm pretty sure VBS won't have any functionality to interact with ETW logs.  This is not a PowerShell issue.  You could equally try to use C# with the .NET classes, and you'll likely get the same results.
0
 
jesajaAuthor Commented:
As soon I have time, probably  never :)  - I will try another method from scratch
I will close question but if you find a solution please let me know

0
 
jesajaAuthor Commented:
No solution found
0
 
Netman66Commented:
WMI should allow you to grab what you need.

http://msdn.microsoft.com/en-us/library/aa390413%28v=VS.85%29.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 8
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now