Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Powershell Export Event logs

Posted on 2015-02-06
3
Medium Priority
?
309 Views
Last Modified: 2015-02-21
Not sure what I am doing wrong I am trying to get all the different types of logs into a file with server name.  The File path is not coming out correctly.


The function I am user is here
http://www.insidepowershell.com/?p=611



# Import Testing function (also defines prerequisites)
. C:\NOCScripts\Powershell\GetLogData\Export-EventLog.ps1

$Servers = get-content "C:\NOCScripts\Powershell\GetLogData\splunk\ServerList.txt"
$LogDest = "C:\NOCScripts\Powershell\GetLogData\splunk\evxt"

$LogNamesArry = "Application,Hardware Events,Operations Manager,Security,System,Windows Powershell,Internet Explorer,Key Management Service"
$LogNames = $LogNamesArry.split(',');

$Days_Ago = 1096


FOREACH ($Server in $Servers){
            FOREACH($LogName in $LogNames){
            Write-Host $LogName $Server $Start_Date
             
Write-Host $Server $LogName 
 Export-EventLog -Servers $Server -Logname $LogName -FileName "$Server.evtx" -Path  $LogDest -Days $Days_Ago

        }

}

Open in new window



Output Produced with error
Hardware Events n2sup2is02 

 Export Started 
 Server: n2sup2is02 
 Path:  C:\NOCScripts\Powershell\GetLogData\splunk\evxt\\HardwareEvents n2sup2is02 2015-02-06.evtx 
 Days: 1096 

wevtutil : Failed to export log Hardware Events. The specified channel could not be found. Check channel configuration.
At C:\NOCScripts\Powershell\GetLogData\Export-EventLog.ps1:126 char:1
+ wevtutil epl $logname "$path\$filename" /ow /r:"$server" /q:"*[System[TimeCreate ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Failed to expor... configuration.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 

 Export Complete: C:\NOCScripts\Powershell\GetLogData\splunk\evxt\\HardwareEvents n2sup2is02 2015-02-06.evtx 

Open in new window

0
Comment
Question by:Leo Torres
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 41

Expert Comment

by:footech
ID: 40595507
Your output for the path does not match with the code posted, so something is definitely different than above.  Running the code above with a servername of "localhost", I get a path like
Path:  C:\NOCScripts\Powershell\GetLogData\splunk\evxt\localhos localhost 2015-02-07.evtx
Yes, it says "localhos" at one point because of the way the Trim method works - better would be to use the Replace method so you don't get unexpected results.

As far as the error message, it's because the channel is "HardwareEvents" without a space, so you need to modify line 7 where you define $LogNamesArry.
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 40596515
The path Name yes is one of my issues not sure why I get that bad path.

Any idea on path issue.
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 40597382
As you can see from the result I posted, there was no problem with the path.

To try to diagnose any issue you're having with the path I would need the command you're running, any file that supplies input, and the output.  As I mentioned, the sample output you provided before does not match with the code as shown, so you must have changed something.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question