[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

powershell script to export specific Windows application event

Posted on 2011-03-05
33
Medium Priority
?
1,211 Views
Last Modified: 2012-05-11
Hi,

i need a script to export a specific Application event from a Windows 2008 server.

the script must export all information of this event and include the description.

the event id is (703 and 1221).

The script must stock the output result in local folder and email a copy of the file.

the script must only export this event with the effectif date, for exemple, if i lunsh the script 5 Marsh, the script must only export the log of event 703 and 1221 for the 5 MARSH.

Thanks for your help.
0
Comment
Question by:cawasaki
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 19
  • 14
33 Comments
 
LVL 12

Expert Comment

by:prashanthd
ID: 35045929
Hi,

Try this code, edit the date, from,to, smtp server and out filepath

regards
Prashanth

################################################################

$dt=Get-Date "03/05/2011" # Change date to check for
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from
$output_file_path="C:\" # output file path
#################################################################

$dt
$adt=$dt
$bdt=$dt.adddays(+1)
$bdt
$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "Application" -after $adt -before $bdt | Where-Object {$_.EventID -eq 703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################
0
 

Author Comment

by:cawasaki
ID: 35046016
i try
0
 

Author Comment

by:cawasaki
ID: 35046028
why i need to edit the date?

the script must work automaticly?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:cawasaki
ID: 35046037
hi,

i have error:

[PS] C:\Temp>.\test.ps1

jeudi 3 mars 2011 00:00:00
vendredi 4 mars 2011 00:00:00
Get-EventLog : A parameter cannot be found that matches parameter name 'after'.
At C:\Temp\test.ps1:16 char:42
+ $output=Get-EventLog "Application" -after  <<<< $adt -before $bdt | Where-Object {$_.EventID -eq
703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046046
Modified the code, test now

regards
Prashanth
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$dt=Get-Date
$adt=$dt.ToShortDateString()
$adt
$bdt=$dt.adddays(+1)
$bdt=$bdt.ToShortDateString()
$bdt

$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "Application" -after $adt -before $bdt | Where-Object {$_.EventID -eq 703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 

Author Comment

by:cawasaki
ID: 35046052
i test 2min
0
 

Author Comment

by:cawasaki
ID: 35046059
same error:

[PS] C:\Temp>.\test.ps1
06/03/2011
07/03/2011
Get-EventLog : A parameter cannot be found that matches parameter name 'after'.
At C:\Temp\test.ps1:17 char:42
+ $output=Get-EventLog "Application" -after  <<<< $adt -before $bdt | Where-Object {$_.EventID -eq
703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046060
What is the OS language being used?

I do not understand jeudi,vendredi
0
 

Author Comment

by:cawasaki
ID: 35046073
ok lol sorry, its a frensh but i have tested also in the english system.

 jeudi is THURSDAY

vendredi is FRIDAY
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046100
Np...are you getting the same errors in english system also?
0
 

Author Comment

by:cawasaki
ID: 35046251
yes same error in english version.

its a Windows 2008 SP1.

the script work for you?
0
 

Author Comment

by:cawasaki
ID: 35046302
and why i see this date when i lunsh the script:

06/03/2011
07/03/2011


the 07/03/2011 is tomorow date, its normal????
0
 

Author Comment

by:cawasaki
ID: 35046609
ok the pb is the versoin of powershell, i have 1.0 version and your script work only in the 2.0 version???
0
 
LVL 12

Accepted Solution

by:
prashanthd earned 2000 total points
ID: 35046612
hmmm...powershell versions, anyway modified the code and test, please try now

regards
Prashanth
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$today=[DateTime]::Today
$today

$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten 
} | Select eventid, timewritten,message | Format-list

$output
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046617
Please replace $dt to $today
0
 

Author Comment

by:cawasaki
ID: 35046666
Hi,

now i have another error:

PS C:\Temp> .\test.ps1

dimanche 6 mars 2011 00:00:00
out-lineoutput : Object of type "Microsoft.PowerShell.Commands.Internal.Format.FormatStartData" is not legal or not in
the correct sequence. This is likely caused by a user-specified "format-list" command which is conflicting with the def
ault formatting.

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046755
is the following in one single line, if not ensure the entire line is one single line and try

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten } | Select eventid, timewritten,message | Format-list
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046762
Formatted the same..
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$today=[DateTime]::Today
$today

$output_file_path=$output_file_path + $today.month +"_"+ $today.day +"_"+ $today.year + "_EventLog.txt"

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten } | Select eventid, timewritten,message | Format-list

$output
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $today
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 

Author Comment

by:cawasaki
ID: 35046777
it is in one line!
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046793
can you remove "| format-list" and try
0
 

Author Comment

by:cawasaki
ID: 35046896
ok work, and other version work in powershell v2, i have tested.

now, its possible to lunshthis script for remote server?

thanks
0
 

Author Comment

by:cawasaki
ID: 35046961
hi,

ok, simple, i add -computer and its ok.

now small problem. in my server i have 100000 logs in Applicaiton log, and the script take a long time to finish.

It is possible to make it only check le event log for just the effective date and quit after that?

thanks
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046982
Actually both the scripts are filtering the events only for today, which script are you using the one for powershell v2 or v1?

0
 

Author Comment

by:cawasaki
ID: 35046992
V2.

the problem, i have lunsh the script and its not ended! 20 minutes and not end!

 
0
 

Author Comment

by:cawasaki
ID: 35047012
i suspect the script search all event in all log and export only event for the good date. sow in my case, i havea lot event in application event!

0
 

Author Comment

by:cawasaki
ID: 35047030
and if i lunsh the 2 script to test in other server and with small application event log, it to fast!
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35047072
You can add additional filter -entrytype information as both the events are of type information.

you can add this after "application" -entrytype information
0
 

Author Comment

by:cawasaki
ID: 35047522
same problem, the script take a long time.
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35051572
May be you should look at the following tool, as this executes command on the remote server

PsLogList
http://technet.microsoft.com/en-us/sysinternals/bb897544

Test if the tool is retrieving faster..
0
 

Author Comment

by:cawasaki
ID: 35055048
ok, the best solution for me is to use this comamnd:

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$result = $output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

$result | Out-File $output_file_path

is to fast now, but my result file is empty!

when i excute just :

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

i can view in my script the correct log!

any help?
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35055157
Tested the following and worked fine, have you checked the full script where a value is assigned to $output_file_path, also just add $result before outputting the file, this will display results to screen, before writing to the file

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$result = $output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

$result

$result | Out-File $output_file_path

0
 

Author Closing Comment

by:cawasaki
ID: 35055817
Work thanks
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question