Windows 2008 EventLog Export

The ps script exports the event log with all details to an text file.
The code was tested in windows server 2008 R2 and windows 7 and it works fine.
if the ps script is used in 2008 or vista the event log details will not exported

any commends
# BKWBEvents.ps1
$inipath="c:\!AMC\log"
$outpath="c:\!AMC\snd"

function add2outfile ($a2ofstring)
{ 
 process
 {
   add-content "$outpath\WindowsBackupEvents.txt" $a2ofstring
   # write-host $a2ofstring
 }
}

#
$d1=(get-date)
$d1s=$d1.ToString("yyyyMMddHHmmss")
if ( -not(test-path "$inipath\Backup-WindowsBackup.ini") )
  { 
    set-content "$inipath\Backup-WindowsBackup.ini" $d1s
  }
#
$d2s="00010101000000"
$d2s=$d2s.insert(0,(get-content "$inipath\Backup-WindowsBackup.ini" -totalcount 1))
$d2=(get-date -year $d2s.substring(0,4) -month $d2s.substring(4,2) -day $d2s.substring(6,2) -hour $d2s.substring(8,2) -minute $d2s.substring(10,2) -second $d2s.substring(12,2))
#
set-content "$inipath\Backup-WindowsBackup.ini" $d1s
#


$start_time = $d2
# # # Server2008 R2 / Windows7
###$evtlst = Get-WinEvent -ErrorAction:SilentlyContinue -Oldest -FilterHashtable @{ logname="Microsoft-Windows-Backup"; StartTime=$start_time }
# # #

# # # Server2008 / Windows Vista
$evtlst = Get-WinEvent -Oldest -ProviderName "Microsoft-Windows-Backup" | where {$_.timecreated -ge $start_time}
# # #


if ($evtlst)
{
#
set-content "$outpath\WindowsBackupEvents.txt" ""
#
foreach ($evt in $evtlst) 
  { add2outfile("[WBEvent]")
    add2outfile("ProviderName = "+$evt.ProviderName)
    add2outfile("MachineName = "+$evt.MachineName)
    add2outfile("Level = "+$evt.Level)
    add2outfile("LevelDisplayName = "+$evt.LevelDisplayName)
    add2outfile("Opcode = "+$evt.Opcode)
    add2outfile("OpcodeDisplayName = "+$evt.OpcodeDisplayName)
    add2outfile("TimeCreated = " + (get-date -date $evt.TimeCreated -format "s") )
    add2outfile("ID = "+$evt.ID)
    add2outfile("Message = "+$evt.Message)
    add2outfile("")
    add2outfile("[WBEvent.Detail]")
    $e = [xml]$evt.toXML()
    foreach ( $z in $e.event.eventdata.data )
      {
        add2outfile(""+$z.name+ " = "+$z."#text")
      }
    #export-clixml "$outpath\WBEvents1.txt" -InputObject $evt.properties -depth 9
    add2outfile("")
    add2outfile("")
  }
}

Open in new window

LVL 7
jesajaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Netman66Commented:
What version of Powershell?  I suspect it's 2.0 and the other OS are 1.0.

0
Netman66Commented:
0
jesajaAuthor Commented:
Sorry I have to correct my descrption of the error.


Powershell is on all Systems Version 2.0 as I check it with get-host.

The command "$evtlst = Get-WinEvent -Oldest -ProviderName "Microsoft-Windows-Backup" | where {$_.timecreated -ge $start_time}" runs on both systems

In Windows 2008 the output fields: LevelDisplayName, OpcodeDisplayName, Message, [WBEvent.Detail] are empty but in R2 the output is correct.

=> Output example:

Windows 2008 R2 Output:
----------------------------------
[WBEvent]
ProviderName = Microsoft-Windows-Backup
MachineName = server1.lan.local
Level = 3
LevelDisplayName = Warnung
Opcode = 0
OpcodeDisplayName = Info
TimeCreated = 2010-04-26T20:22:31
ID = 51
Message = Am Sicherungsspeicherort ist nur wenig freier Speicherplatz verfügbar. Bei weiteren Sicherungen, die an diesem Speicherort gespeichert werden sollen, tritt möglicherweise ein Fehler auf, da nicht genügend freier Speicherplatz zur Verfügung steht.

[WBEvent.Detail]
VolumeFriendlyName = F:
VolumeAccessPath = F:


Windows 2008 Output:
-----------------------------
[WBEvent]
ProviderName = Microsoft-Windows-Backup
MachineName = srv01.dichter.local
Level = 4
LevelDisplayName =
Opcode = 2
OpcodeDisplayName =
TimeCreated = 2010-04-27T05:30:00
ID = 754
Message =

[WBEvent.Detail]
 =

0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Netman66Commented:
Dot Net is at version 3.5 on the 2008 server?

0
jesajaAuthor Commented:
yes, 3.5 is installed
0
Netman66Commented:
Is there a localization difference between servers?  

I'm trying to contact one of our Powershell MVPs to see if he could pipe in here.

0
jesajaAuthor Commented:
no location difference

maybe Get-WinEvent has in Windows 2008 different syntax
0
Netman66Commented:
According to the help files, your command should be the same.  I'm not sure why only partial information is populated on the 2008 box.  Was that entire package I linked to installed?  There are some providers that get added along with Powershell too.

0
jesajaAuthor Commented:
the update to powershell 2.00 was already applied (not from me)  but  just to make sure I downloaded the msu but setup tells that is can't be installed on the system. thus it is already installed
0
jesajaAuthor Commented:
Hi netman66, did you get in touch with your MVPs jet?
0
Netman66Commented:
Just made contact.  Hopefully, he can step up now.

I'll keep you posted.
0
Netman66Commented:
He should be able to jump in later on today.  Please hang tight.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marco_shawCommented:
I haven't found a single authoritative source, but I do see this:
PS> get-help get-winevent -full
...
Note: Get-WinEvent requires Windows Vista, Windows Server 2008 R2, or later versions of Windows. And, it requires the Microsoft .NET Framework 3.5 or a later version.
...

So, I'm reading from that: "works with Vista desktop client or newer and Server 2008 R2 servers or newer".  That wouldn't include Server 2008.  I'm slightly surprised since I understood that basically Vista=Server 2008 and Windows 7=Server 2008 R2 at least from a kernel perspective.

If that's correct, I suspect the underlying framework isn't there in Server 2008 for you to get access to those other properties.

I'll keep trying to see if I can find a definite answer that supports my assumption.
0
jesajaAuthor Commented:
Thanks anyway, if I know it is not working with PS this way, maybe with with VBS script
0
marco_shawCommented:
I'm pretty sure VBS won't have any functionality to interact with ETW logs.  This is not a PowerShell issue.  You could equally try to use C# with the .NET classes, and you'll likely get the same results.
0
jesajaAuthor Commented:
As soon I have time, probably  never :)  - I will try another method from scratch
I will close question but if you find a solution please let me know

0
jesajaAuthor Commented:
No solution found
0
Netman66Commented:
WMI should allow you to grab what you need.

http://msdn.microsoft.com/en-us/library/aa390413%28v=VS.85%29.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.