Solved

powershell script to export specific Windows application event

Posted on 2011-03-05
33
1,180 Views
Last Modified: 2012-05-11
Hi,

i need a script to export a specific Application event from a Windows 2008 server.

the script must export all information of this event and include the description.

the event id is (703 and 1221).

The script must stock the output result in local folder and email a copy of the file.

the script must only export this event with the effectif date, for exemple, if i lunsh the script 5 Marsh, the script must only export the log of event 703 and 1221 for the 5 MARSH.

Thanks for your help.
0
Comment
Question by:cawasaki
  • 19
  • 14
33 Comments
 
LVL 12

Expert Comment

by:prashanthd
ID: 35045929
Hi,

Try this code, edit the date, from,to, smtp server and out filepath

regards
Prashanth

################################################################

$dt=Get-Date "03/05/2011" # Change date to check for
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from
$output_file_path="C:\" # output file path
#################################################################

$dt
$adt=$dt
$bdt=$dt.adddays(+1)
$bdt
$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "Application" -after $adt -before $bdt | Where-Object {$_.EventID -eq 703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################
0
 

Author Comment

by:cawasaki
ID: 35046016
i try
0
 

Author Comment

by:cawasaki
ID: 35046028
why i need to edit the date?

the script must work automaticly?
0
 

Author Comment

by:cawasaki
ID: 35046037
hi,

i have error:

[PS] C:\Temp>.\test.ps1

jeudi 3 mars 2011 00:00:00
vendredi 4 mars 2011 00:00:00
Get-EventLog : A parameter cannot be found that matches parameter name 'after'.
At C:\Temp\test.ps1:16 char:42
+ $output=Get-EventLog "Application" -after  <<<< $adt -before $bdt | Where-Object {$_.EventID -eq
703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046046
Modified the code, test now

regards
Prashanth
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$dt=Get-Date
$adt=$dt.ToShortDateString()
$adt
$bdt=$dt.adddays(+1)
$bdt=$bdt.ToShortDateString()
$bdt

$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "Application" -after $adt -before $bdt | Where-Object {$_.EventID -eq 703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 

Author Comment

by:cawasaki
ID: 35046052
i test 2min
0
 

Author Comment

by:cawasaki
ID: 35046059
same error:

[PS] C:\Temp>.\test.ps1
06/03/2011
07/03/2011
Get-EventLog : A parameter cannot be found that matches parameter name 'after'.
At C:\Temp\test.ps1:17 char:42
+ $output=Get-EventLog "Application" -after  <<<< $adt -before $bdt | Where-Object {$_.EventID -eq
703 -or $_.EventID -eq 1221} | Select eventid, timewritten,message | Format-list

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046060
What is the OS language being used?

I do not understand jeudi,vendredi
0
 

Author Comment

by:cawasaki
ID: 35046073
ok lol sorry, its a frensh but i have tested also in the english system.

 jeudi is THURSDAY

vendredi is FRIDAY
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046100
Np...are you getting the same errors in english system also?
0
 

Author Comment

by:cawasaki
ID: 35046251
yes same error in english version.

its a Windows 2008 SP1.

the script work for you?
0
 

Author Comment

by:cawasaki
ID: 35046302
and why i see this date when i lunsh the script:

06/03/2011
07/03/2011


the 07/03/2011 is tomorow date, its normal????
0
 

Author Comment

by:cawasaki
ID: 35046609
ok the pb is the versoin of powershell, i have 1.0 version and your script work only in the 2.0 version???
0
 
LVL 12

Accepted Solution

by:
prashanthd earned 500 total points
ID: 35046612
hmmm...powershell versions, anyway modified the code and test, please try now

regards
Prashanth
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$today=[DateTime]::Today
$today

$output_file_path=$output_file_path + $dt.month +"_"+ $dt.day +"_"+ $dt.year + "_EventLog.txt"

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten 
} | Select eventid, timewritten,message | Format-list

$output
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $dt
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046617
Please replace $dt to $today
0
 

Author Comment

by:cawasaki
ID: 35046666
Hi,

now i have another error:

PS C:\Temp> .\test.ps1

dimanche 6 mars 2011 00:00:00
out-lineoutput : Object of type "Microsoft.PowerShell.Commands.Internal.Format.FormatStartData" is not legal or not in
the correct sequence. This is likely caused by a user-specified "format-list" command which is conflicting with the def
ault formatting.

Open in new window

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 12

Expert Comment

by:prashanthd
ID: 35046755
is the following in one single line, if not ensure the entire line is one single line and try

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten } | Select eventid, timewritten,message | Format-list
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046762
Formatted the same..
################################################################
$FromAddress = ""  # Give from mail address
$ToAddress = ""    # Give To mail address
$SendingServer = "" # Smtp or relayserver to send mail from 
$output_file_path="C:\" # output file path
#################################################################

$today=[DateTime]::Today
$today

$output_file_path=$output_file_path + $today.month +"_"+ $today.day +"_"+ $today.year + "_EventLog.txt"

$output=Get-EventLog "application" | Where-Object {($_.EventID -eq 703 -or $_.EventID -eq 1221) -and $Today -le $_.TimeWritten } | Select eventid, timewritten,message | Format-list

$output
$output | Out-File $output_file_path

#########################Send Mail################################

$MessageSubject = "Eventlog Report for - " + $today
$MessageBody = "Check Attachment"
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($output_file_path)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object System.Net.Mail.SMTPClient 
$SmtpClient.host = $SendingServer
$SMTPClient.Send($SMTPMessage)

#############################################################################

Open in new window

0
 

Author Comment

by:cawasaki
ID: 35046777
it is in one line!
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046793
can you remove "| format-list" and try
0
 

Author Comment

by:cawasaki
ID: 35046896
ok work, and other version work in powershell v2, i have tested.

now, its possible to lunshthis script for remote server?

thanks
0
 

Author Comment

by:cawasaki
ID: 35046961
hi,

ok, simple, i add -computer and its ok.

now small problem. in my server i have 100000 logs in Applicaiton log, and the script take a long time to finish.

It is possible to make it only check le event log for just the effective date and quit after that?

thanks
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35046982
Actually both the scripts are filtering the events only for today, which script are you using the one for powershell v2 or v1?

0
 

Author Comment

by:cawasaki
ID: 35046992
V2.

the problem, i have lunsh the script and its not ended! 20 minutes and not end!

 
0
 

Author Comment

by:cawasaki
ID: 35047012
i suspect the script search all event in all log and export only event for the good date. sow in my case, i havea lot event in application event!

0
 

Author Comment

by:cawasaki
ID: 35047030
and if i lunsh the 2 script to test in other server and with small application event log, it to fast!
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35047072
You can add additional filter -entrytype information as both the events are of type information.

you can add this after "application" -entrytype information
0
 

Author Comment

by:cawasaki
ID: 35047522
same problem, the script take a long time.
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35051572
May be you should look at the following tool, as this executes command on the remote server

PsLogList
http://technet.microsoft.com/en-us/sysinternals/bb897544

Test if the tool is retrieving faster..
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35054175
0
 

Author Comment

by:cawasaki
ID: 35055048
ok, the best solution for me is to use this comamnd:

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$result = $output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

$result | Out-File $output_file_path

is to fast now, but my result file is empty!

when i excute just :

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

i can view in my script the correct log!

any help?
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35055157
Tested the following and worked fine, have you checked the full script where a value is assigned to $output_file_path, also just add $result before outputting the file, this will display results to screen, before writing to the file

$output=Get-EventLog -Newest 1000 "application" -ComputerName servername

$result = $output | Where-Object {($_.EventID -eq 721)} | Select eventid, timewritten,message | Format-list

$result

$result | Out-File $output_file_path

0
 

Author Closing Comment

by:cawasaki
ID: 35055817
Work thanks
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Set OWA language and time zone in Exchange for individuals, all users or per database.
This article will help you understand what HashTables are and how to use them in PowerShell.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now