Comments on: PowerShell: How to export Windows Eventlogs with PowerShell

By: Gemimah Guarneros

Gemimah Guarneros — Sat, 18 May 2019 14:15:51 +0000

Hi
Could you please help me, I need export events from security but each one with its details for examWorkstationNameple TargetUserName,

By: TaTo

TaTo — Thu, 27 Mar 2014 16:09:38 +0000

Really helpful! thanks a lot

cheers

By: Thomas Maurer

Thomas Maurer — Thu, 04 Jul 2013 18:12:38 +0000

In reply to Mike. Well here you can work with get-date and add this to a variable which you can set with the filename

By: Mike

Mike — Sat, 29 Jun 2013 22:13:12 +0000

How could I add the time stamp? I need to export the Applications and System every half hour. I don’t want the events to over write. also how do I the host name of the server so each file has hostname, date and time stamp.

By: Ansari

Ansari — Tue, 02 Apr 2013 13:05:43 +0000

could it be possibe to ceck the file size before it creates a backup.
Suppose if i want to take the backup only if reacheds upto 300 MB Space

By: Marc

Marc — Thu, 05 Jul 2012 16:49:19 +0000

Thanks Thomas for the article.
@Ritchy, to read this eventlog you have to use the cmdlet get-winevent.
Try this : get-winevent -log setup

Marc.

By: Hans

Hans — Thu, 26 Jan 2012 08:30:58 +0000

Hallo Thomas,
ich versuche deine Abfrage um die EventID zu erweitern.
Leider sehe ich nicht wo der Fehler liegt:

# Config
$logFileName = “SYSTEM” # Add Name of the Logfile (System, Application, etc)
$EventID = 403
$path = “C:\Temp\” # Add Path, needs to end with a backsplash

# do not edit
$exportFileName = $logFileName + (get-date -f yyyyMMdd) + “.evt”
$logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName & $_.EventID -eq $EventID}
$logFile.backupeventlog($path + $exportFileName)

By: Richy

Richy — Tue, 01 Nov 2011 13:59:36 +0000

Hi Thomas,

Thanks for the article. It helped me a lot. But I’ve got one question. I cannot export and clear the Setup eventlog on Windows Server 2008 R2. I get this error in Powershell:

You cannot call a method on a null-valued expression.
At D:\beheer\scripts\backup_setup_log.ps1:8 char:24
+ $logFile.backupeventlog <<<< ($path + $exportFileName)
+ CategoryInfo : InvalidOperation: (backupeventlog:String) [], Runti
+ FullyQualifiedErrorId : InvokeMethodOnNull

Clear-EventLog : The Log name "Setup" does not exist in the computer "localhost".
At D:\beheer\scripts\backup_setup_log.ps1:9 char:15
+ Clear-Eventlog <<<< -LogName $logFileName
+ CategoryInfo : InvalidOperation: (:) [Clear-EventLog], InvalidOper
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.ClearEventLogCommand

Do you know why I'm not able to export and clear this eventlog? All the other eventlogs (Application, Security and System) don't have this issue. Thanks in advance and with kind regards,

Richy

By: Ganesan K

Ganesan K — Mon, 26 Sep 2011 09:20:10 +0000

Thanks for sharing a very good innovative article

By: Thomas Maurer

Thomas Maurer — Thu, 26 May 2011 17:17:19 +0000

In reply to Michel Lüscher. yep... true this makes sence :)