Solved

Pull Event logs off Windows server every 30 minutes using powershell

Posted on 2013-02-07

Powershell

1 solution

1,059 Views

Last Modified: 2013-02-07

I found a script that pulls event logs off windows servers but instead of days I would like it to pull every 30 minutes. I am totally new to powershell and don't know what to change to change this to minutes instead of days. Is this possible with this script?

# +---------------------------------------------------------------------------
# | File : EventLogs.ps1                                          
# | Version : 1.5                                         
# | Purpose : Export Remote Event Logs to CSV. 
# | Synopsis: Creates a CSV file containing all Errors and Warnings from the 
# |           "Application", "System" & "Operations Manager" Event Logs 
# | Usage : .\EventLogs.ps1 -days NUMDAYS
# +----------------------------------------------------------------------------
# | Maintenance History                                            
# | -------------------                                            
# | Name            Date         Version         Description        
# | ------------------------------------------------------------------------------
# | Craig Wilson    25/11/2011   1.0            Initial Release
# | Craig Wilson    28/11/2011   1.1            Added '$store' variable for Log Location 
# | Craig Wilson    28/11/2011   1.2            Added Help Infomration
# | Craig Wilson    28/11/2011   1.3            BUG FIX: added "-Credential $user" switch in for all logs
# | Craig Wilson    28/11/2011   1.4            Added filter for Events
# | Craig Wilson    01/12/2011   1.5*           Added Array to loop through all servers in array and removed Paramter for servers. 
# +-------------------------------------------------------------------------------
##################
## HELP SECTION ##
##################
<#
.SYNOPSIS 
Script to export specific events from remote event logs to a CSV file
.DESCRIPTION 
This script will read the event logs of the array of Servers and export all but 
all relevant logs to a CSV File for the specified server over the period of history
requested at the command line.
Logs can be filtered by modifing the Query for the appropriate log..
.EXAMPLE 
.\EventLogs.PS1 -days 7
.NOTES 
Script may error if there are no events to record and will prompt for the password.
NO username or password information is stored by this script and nothing is written back
to the server. 
#>
#  Specify Command Line parameters
param([string]$days=$(throw "Days cannot be null"))
$servers = @("dc1", "dc2", "vs-webhost", "ts5", "ts7", "ts8", "ts9")

#Set namespace and calculate the date to start from
$namespace = "root\CIMV2" 
$BeginDate=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).AddDays(-$days))
$store = "E:\Serverlogs"  # No trailing slash, Folder must already exist
foreach ($computer in $servers)
{
    # Get the Application Log and export to CSV
    Get-WmiObject -ComputerName $computer `
        -Query "SELECT ComputerName,Logfile,Type,TimeWritten,SourceName,Message,Category,EventCode,User `
            FROM Win32_NTLogEvent WHERE (logfile='Application') AND (type!='Information') AND (EventCode!='1062') `
            AND (EventCode!='9001') AND (EventCode!='1517') AND (EventCode!='16434') AND (EventCode!='16435') `
            AND (EventCode!='30969') AND (EventCode!='1202') AND (EventCode!='1517')  AND (EventCode!='257') `
            AND (TimeWritten > '$BeginDate')" | `
            SELECT ComputerName,Logfile,Type,@{name='TimeWritten';Expression={$_.ConvertToDateTime($_.TimeWritten)}},SourceName,Message,Category,EventCode,User | `
            Export-Csv "$store\$computer-Application.csv" 
    # Get the System Log and export to CSV
    Get-WmiObject -ComputerName $computer `
        -Query "SELECT ComputerName,Logfile,Type,TimeWritten,SourceName,Message,Category,EventCode,User `
            FROM Win32_NTLogEvent WHERE (logfile='System') AND (type!='Information') AND (EventCode!='257') AND (TimeWritten > '$BeginDate')" | `
            SELECT ComputerName,Logfile,Type,@{name='TimeWritten';Expression={$_.ConvertToDateTime($_.TimeWritten)}},SourceName,Message,Category,EventCode,User | `
            Export-Csv "$store\$computer-System.csv" 
}

Open in new window

Comment

Question by:ats2012

[X]

Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

Help others & share knowledge
Earn cash & points
Learn & ask questions

Join The Community

1 Comment

LVL 29

Accepted Solution

by:becraig

becraig earned 500 total points

ID: 388657622013-02-07

# +---------------------------------------------------------------------------
# | File : EventLogs.ps1                                          
# | Version : 1.5                                         
# | Purpose : Export Remote Event Logs to CSV. 
# | Synopsis: Creates a CSV file containing all Errors and Warnings from the 
# |           "Application", "System" & "Operations Manager" Event Logs 
# | Usage : .\EventLogs.ps1 -days NUMDAYS
# +----------------------------------------------------------------------------
# | Maintenance History                                            
# | -------------------                                            
# | Name            Date         Version         Description        
# | ------------------------------------------------------------------------------
# | Craig Wilson    25/11/2011   1.0            Initial Release
# | Craig Wilson    28/11/2011   1.1            Added '$store' variable for Log Location 
# | Craig Wilson    28/11/2011   1.2            Added Help Infomration
# | Craig Wilson    28/11/2011   1.3            BUG FIX: added "-Credential $user" switch in for all logs
# | Craig Wilson    28/11/2011   1.4            Added filter for Events
# | Craig Wilson    01/12/2011   1.5*           Added Array to loop through all servers in array and removed Paramter for servers. 
# +-------------------------------------------------------------------------------
##################
## HELP SECTION ##
##################
<#
.SYNOPSIS 
Script to export specific events from remote event logs to a CSV file
.DESCRIPTION 
This script will read the event logs of the array of Servers and export all but 
all relevant logs to a CSV File for the specified server over the period of history
requested at the command line.
Logs can be filtered by modifing the Query for the appropriate log..
.EXAMPLE 
.\EventLogs.PS1 -days 7
.NOTES 
Script may error if there are no events to record and will prompt for the password.
NO username or password information is stored by this script and nothing is written back
to the server. 
#>
#  Specify Command Line parameters
param([string]$days=$(throw "Days cannot be null"))
$servers = @("dc1", "dc2", "vs-webhost", "ts5", "ts7", "ts8", "ts9")

#Set namespace and calculate the date to start from
$namespace = "root\CIMV2" 
$BeginDate=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).Addhours(-$days))
$store = "E:\Serverlogs"  # No trailing slash, Folder must already exist
foreach ($computer in $servers)
{
    # Get the Application Log and export to CSV
    Get-WmiObject -ComputerName $computer `
        -Query "SELECT ComputerName,Logfile,Type,TimeWritten,SourceName,Message,Category,EventCode,User `
            FROM Win32_NTLogEvent WHERE (logfile='Application') AND (type!='Information') AND (EventCode!='1062') `
            AND (EventCode!='9001') AND (EventCode!='1517') AND (EventCode!='16434') AND (EventCode!='16435') `
            AND (EventCode!='30969') AND (EventCode!='1202') AND (EventCode!='1517')  AND (EventCode!='257') `
            AND (TimeWritten > '$BeginDate')" | `
            SELECT ComputerName,Logfile,Type,@{name='TimeWritten';Expression={$_.ConvertToDateTime($_.TimeWritten)}},SourceName,Message,Category,EventCode,User | `
            Export-Csv "$store\$computer-Application.csv" 
    # Get the System Log and export to CSV
    Get-WmiObject -ComputerName $computer `
        -Query "SELECT ComputerName,Logfile,Type,TimeWritten,SourceName,Message,Category,EventCode,User `
            FROM Win32_NTLogEvent WHERE (logfile='System') AND (type!='Information') AND (EventCode!='257') AND (TimeWritten > '$BeginDate')" | `
            SELECT ComputerName,Logfile,Type,@{name='TimeWritten';Expression={$_.ConvertToDateTime($_.TimeWritten)}},SourceName,Message,Category,EventCode,User | `
            Export-Csv "$store\$computer-System.csv" 
}

Open in new window

try changing :

$BeginDate=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).AddDays(-$days))

to

$BeginDate=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).Addhours(-$days))

Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ISE Steroids is My Co-Pilot

Article by: Jason

A brief introduction to what I consider to be the best editor for PowerShell.

Powershell

How to setup Hyper-V host in Nano Server – Part 3

Article by: Veeam

Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.

Veeam
Powershell
Hyper-V
Windows Server 2016
Azure
Windows 10, Windows, *Nano Server

How to change priority of transport agents in Exchange 2007/2010 using Exchange Management Shell

Video by: CodeTwo

Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…