Solved

powershell script to export specific Windows application event

Posted on 2011-03-05
33
1,199 Views
Last Modified: 2012-05-11
Hi,

i need a script to export a specific Application event from a Windows 2008 server.

the script must export all information of this event and include the description.

the event id is (703 and 1221).

The script must stock the output result in local folder and email a copy of the file.

the script must only export this event with the effectif date, for exemple, if i lunsh the script 5 Marsh, the script must only export the log of event 703 and 1221 for the 5 MARSH.

Thanks for your help.
0
Comment
Question by:cawasaki
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 19
  • 14
33 Comments
 
LVL 12

Expert Comment

by:prashanthd
ID: 35045929
Hi,

Try this code, edit the date, from,to, smtp server and out filepath

regards
Prashanth

################################################################

$dt=Get-Date "03/05/2011" # Change date to check for
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from
$output_file_path="C:\" # output file path
#################################################################

$dt
$adt=$dt
$bdt=$dt.adddays(+1)
$bdt
$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "Application" -after $adt -before $bdt | Where-Object {$_.EventID -eq 703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################
0
 

Author Comment

by:cawasaki
ID: 35046016
i try
0
 

Author Comment

by:cawasaki
ID: 35046028
why i need to edit the date?

the script must work automaticly?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:cawasaki
ID: 35046037
hi,

i have error:

[PS] C:\Temp>.\test.ps1

jeudi 3 mars 2011 00:00:00
vendredi 4 mars 2011 00:00:00
Get-EventLog : A parameter cannot be found that matches parameter name 'after'.
At C:\Temp\test.ps1:16 char:42
+ $output=Get-EventLog "Application" -after  <<<< $adt -before $bdt | Where-Object {$_.EventID -eq
703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046046
Modified the code, test now

regards
Prashanth
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$dt=Get-Date
$adt=$dt.ToShortDateString()
$adt
$bdt=$dt.adddays(+1)
$bdt=$bdt.ToShortDateString()
$bdt

$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "Application" -after $adt -before $bdt | Where-Object {$_.EventID -eq 703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 

Author Comment

by:cawasaki
ID: 35046052
i test 2min
0
 

Author Comment

by:cawasaki
ID: 35046059
same error:

[PS] C:\Temp>.\test.ps1
06/03/2011
07/03/2011
Get-EventLog : A parameter cannot be found that matches parameter name 'after'.
At C:\Temp\test.ps1:17 char:42
+ $output=Get-EventLog "Application" -after  <<<< $adt -before $bdt | Where-Object {$_.EventID -eq
703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046060
What is the OS language being used?

I do not understand jeudi,vendredi
0
 

Author Comment

by:cawasaki
ID: 35046073
ok lol sorry, its a frensh but i have tested also in the english system.

 jeudi is THURSDAY

vendredi is FRIDAY
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046100
Np...are you getting the same errors in english system also?
0
 

Author Comment

by:cawasaki
ID: 35046251
yes same error in english version.

its a Windows 2008 SP1.

the script work for you?
0
 

Author Comment

by:cawasaki
ID: 35046302
and why i see this date when i lunsh the script:

06/03/2011
07/03/2011


the 07/03/2011 is tomorow date, its normal????
0
 

Author Comment

by:cawasaki
ID: 35046609
ok the pb is the versoin of powershell, i have 1.0 version and your script work only in the 2.0 version???
0
 
LVL 12

Accepted Solution

by:
prashanthd earned 500 total points
ID: 35046612
hmmm...powershell versions, anyway modified the code and test, please try now

regards
Prashanth
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$today=[DateTime]::Today
$today

$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten 
} | Select eventid, timewritten,message | Format-list

$output
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046617
Please replace $dt to $today
0
 

Author Comment

by:cawasaki
ID: 35046666
Hi,

now i have another error:

PS C:\Temp> .\test.ps1

dimanche 6 mars 2011 00:00:00
out-lineoutput : Object of type "Microsoft.PowerShell.Commands.Internal.Format.FormatStartData" is not legal or not in
the correct sequence. This is likely caused by a user-specified "format-list" command which is conflicting with the def
ault formatting.

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046755
is the following in one single line, if not ensure the entire line is one single line and try

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten } | Select eventid, timewritten,message | Format-list
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046762
Formatted the same..
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$today=[DateTime]::Today
$today

$output_file_path=$output_file_path + $today.month +"_"+ $today.day +"_"+ $today.year + "_EventLog.txt"

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten } | Select eventid, timewritten,message | Format-list

$output
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $today
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 

Author Comment

by:cawasaki
ID: 35046777
it is in one line!
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046793
can you remove "| format-list" and try
0
 

Author Comment

by:cawasaki
ID: 35046896
ok work, and other version work in powershell v2, i have tested.

now, its possible to lunshthis script for remote server?

thanks
0
 

Author Comment

by:cawasaki
ID: 35046961
hi,

ok, simple, i add -computer and its ok.

now small problem. in my server i have 100000 logs in Applicaiton log, and the script take a long time to finish.

It is possible to make it only check le event log for just the effective date and quit after that?

thanks
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046982
Actually both the scripts are filtering the events only for today, which script are you using the one for powershell v2 or v1?

0
 

Author Comment

by:cawasaki
ID: 35046992
V2.

the problem, i have lunsh the script and its not ended! 20 minutes and not end!

 
0
 

Author Comment

by:cawasaki
ID: 35047012
i suspect the script search all event in all log and export only event for the good date. sow in my case, i havea lot event in application event!

0
 

Author Comment

by:cawasaki
ID: 35047030
and if i lunsh the 2 script to test in other server and with small application event log, it to fast!
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35047072
You can add additional filter -entrytype information as both the events are of type information.

you can add this after "application" -entrytype information
0
 

Author Comment

by:cawasaki
ID: 35047522
same problem, the script take a long time.
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35051572
May be you should look at the following tool, as this executes command on the remote server

PsLogList
http://technet.microsoft.com/en-us/sysinternals/bb897544

Test if the tool is retrieving faster..
0
 

Author Comment

by:cawasaki
ID: 35055048
ok, the best solution for me is to use this comamnd:

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$result = $output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

$result | Out-File $output_file_path

is to fast now, but my result file is empty!

when i excute just :

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

i can view in my script the correct log!

any help?
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35055157
Tested the following and worked fine, have you checked the full script where a value is assigned to $output_file_path, also just add $result before outputting the file, this will display results to screen, before writing to the file

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$result = $output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

$result

$result | Out-File $output_file_path

0
 

Author Closing Comment

by:cawasaki
ID: 35055817
Work thanks
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question