Solved

powershell script to export specific Windows application event

Posted on 2011-03-05
33
1,186 Views
Last Modified: 2012-05-11
Hi,

i need a script to export a specific Application event from a Windows 2008 server.

the script must export all information of this event and include the description.

the event id is (703 and 1221).

The script must stock the output result in local folder and email a copy of the file.

the script must only export this event with the effectif date, for exemple, if i lunsh the script 5 Marsh, the script must only export the log of event 703 and 1221 for the 5 MARSH.

Thanks for your help.
0
Comment
Question by:cawasaki
  • 19
  • 14
33 Comments
 
LVL 12

Expert Comment

by:prashanthd
ID: 35045929
Hi,

Try this code, edit the date, from,to, smtp server and out filepath

regards
Prashanth

################################################################

$dt=Get-Date "03/05/2011" # Change date to check for
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from
$output_file_path="C:\" # output file path
#################################################################

$dt
$adt=$dt
$bdt=$dt.adddays(+1)
$bdt
$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "Application" -after $adt -before $bdt | Where-Object {$_.EventID -eq 703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################
0
 

Author Comment

by:cawasaki
ID: 35046016
i try
0
 

Author Comment

by:cawasaki
ID: 35046028
why i need to edit the date?

the script must work automaticly?
0
 

Author Comment

by:cawasaki
ID: 35046037
hi,

i have error:

[PS] C:\Temp>.\test.ps1

jeudi 3 mars 2011 00:00:00
vendredi 4 mars 2011 00:00:00
Get-EventLog : A parameter cannot be found that matches parameter name 'after'.
At C:\Temp\test.ps1:16 char:42
+ $output=Get-EventLog "Application" -after  <<<< $adt -before $bdt | Where-Object {$_.EventID -eq
703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046046
Modified the code, test now

regards
Prashanth
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$dt=Get-Date
$adt=$dt.ToShortDateString()
$adt
$bdt=$dt.adddays(+1)
$bdt=$bdt.ToShortDateString()
$bdt

$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "Application" -after $adt -before $bdt | Where-Object {$_.EventID -eq 703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 

Author Comment

by:cawasaki
ID: 35046052
i test 2min
0
 

Author Comment

by:cawasaki
ID: 35046059
same error:

[PS] C:\Temp>.\test.ps1
06/03/2011
07/03/2011
Get-EventLog : A parameter cannot be found that matches parameter name 'after'.
At C:\Temp\test.ps1:17 char:42
+ $output=Get-EventLog "Application" -after  <<<< $adt -before $bdt | Where-Object {$_.EventID -eq
703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046060
What is the OS language being used?

I do not understand jeudi,vendredi
0
 

Author Comment

by:cawasaki
ID: 35046073
ok lol sorry, its a frensh but i have tested also in the english system.

 jeudi is THURSDAY

vendredi is FRIDAY
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046100
Np...are you getting the same errors in english system also?
0
 

Author Comment

by:cawasaki
ID: 35046251
yes same error in english version.

its a Windows 2008 SP1.

the script work for you?
0
 

Author Comment

by:cawasaki
ID: 35046302
and why i see this date when i lunsh the script:

06/03/2011
07/03/2011


the 07/03/2011 is tomorow date, its normal????
0
 

Author Comment

by:cawasaki
ID: 35046609
ok the pb is the versoin of powershell, i have 1.0 version and your script work only in the 2.0 version???
0
 
LVL 12

Accepted Solution

by:
prashanthd earned 500 total points
ID: 35046612
hmmm...powershell versions, anyway modified the code and test, please try now

regards
Prashanth
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$today=[DateTime]::Today
$today

$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten 
} | Select eventid, timewritten,message | Format-list

$output
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046617
Please replace $dt to $today
0
 

Author Comment

by:cawasaki
ID: 35046666
Hi,

now i have another error:

PS C:\Temp> .\test.ps1

dimanche 6 mars 2011 00:00:00
out-lineoutput : Object of type "Microsoft.PowerShell.Commands.Internal.Format.FormatStartData" is not legal or not in
the correct sequence. This is likely caused by a user-specified "format-list" command which is conflicting with the def
ault formatting.

Open in new window

0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 12

Expert Comment

by:prashanthd
ID: 35046755
is the following in one single line, if not ensure the entire line is one single line and try

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten } | Select eventid, timewritten,message | Format-list
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046762
Formatted the same..
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$today=[DateTime]::Today
$today

$output_file_path=$output_file_path + $today.month +"_"+ $today.day +"_"+ $today.year + "_EventLog.txt"

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten } | Select eventid, timewritten,message | Format-list

$output
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $today
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 

Author Comment

by:cawasaki
ID: 35046777
it is in one line!
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046793
can you remove "| format-list" and try
0
 

Author Comment

by:cawasaki
ID: 35046896
ok work, and other version work in powershell v2, i have tested.

now, its possible to lunshthis script for remote server?

thanks
0
 

Author Comment

by:cawasaki
ID: 35046961
hi,

ok, simple, i add -computer and its ok.

now small problem. in my server i have 100000 logs in Applicaiton log, and the script take a long time to finish.

It is possible to make it only check le event log for just the effective date and quit after that?

thanks
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046982
Actually both the scripts are filtering the events only for today, which script are you using the one for powershell v2 or v1?

0
 

Author Comment

by:cawasaki
ID: 35046992
V2.

the problem, i have lunsh the script and its not ended! 20 minutes and not end!

 
0
 

Author Comment

by:cawasaki
ID: 35047012
i suspect the script search all event in all log and export only event for the good date. sow in my case, i havea lot event in application event!

0
 

Author Comment

by:cawasaki
ID: 35047030
and if i lunsh the 2 script to test in other server and with small application event log, it to fast!
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35047072
You can add additional filter -entrytype information as both the events are of type information.

you can add this after "application" -entrytype information
0
 

Author Comment

by:cawasaki
ID: 35047522
same problem, the script take a long time.
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35051572
May be you should look at the following tool, as this executes command on the remote server

PsLogList
http://technet.microsoft.com/en-us/sysinternals/bb897544

Test if the tool is retrieving faster..
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35054175
0
 

Author Comment

by:cawasaki
ID: 35055048
ok, the best solution for me is to use this comamnd:

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$result = $output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

$result | Out-File $output_file_path

is to fast now, but my result file is empty!

when i excute just :

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

i can view in my script the correct log!

any help?
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35055157
Tested the following and worked fine, have you checked the full script where a value is assigned to $output_file_path, also just add $result before outputting the file, this will display results to screen, before writing to the file

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$result = $output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

$result

$result | Out-File $output_file_path

0
 

Author Closing Comment

by:cawasaki
ID: 35055817
Work thanks
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Set OWA language and time zone in Exchange for individuals, all users or per database.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now