Exporting Windows Event Logs to CSV - Powershell 2.0

1
votes

I have a requirement to export Windows Event logs to CSV from our production environment periodically.

I have a simple XML Config file containing a list of machines I need the events from, and a list of Event Ids that I need to retrieve.

From here I'm looping through each machine name in turn, and then each event Id to retrieve the logs and then export to CSV. I'd like one CSV per machine per execution.

Once I've worked out all my variables the PS Command is quite simple to retrieve the log for one Event Id

foreach ($machine in $config.Configuration.Machines.Machine)
{
    $csvname=$outputlocation + $machine.Value + "_" + $datestring + ".csv"

    foreach ($eventid in $config.Configuration.EventIds.EventId)
    {
        Get-WinEvent -ComputerName $machine.Value -ErrorAction SilentlyContinue -FilterHashTable @{Logname='Security';ID=$eventid.Value} | where {$_.TimeCreated -gt $lastexecutiondate} | export-csv -NoClobber -append $csvname
    }
}

Execpt I'm unable to append to a CSV each time, PS 2.0 apparently does not support this. I've tried extracting all Event Ids at once but this seems to be a bit long winded and may now allow use of a config file, but I'm fairly new to PowerShell so I haven't had much luck.

I also need to specify multiple LogNames (System, Security and Application), and would prefer to run one statement as opposed to the same statement 3 times and appe but I'm unsure of how to do this.

Unfortunately at this point Google has me running in circles.

2
powershell-2.0event-log

2 Answers

1
votes

The following is something I culled together to allow me to export the prior 24 hours of events for select event logs - I'm going to create a scheduled task out of it so it pulls a daily. Hope this helps someone else... 

$eventLogNames = "Application", "Security", "System", "Windows PowerShell"
$startDate = Get-Date
$startDate = $startDate.addDays(-1).addMinutes(-15)

function GetMilliseconds($date)
{
    $ts = New-TimeSpan -Start $date -End (Get-Date)
    [math]::Round($ts.TotalMilliseconds)
}

$serverName = get-content env:computername
$serverIP = gwmi Win32_NetworkAdapterConfiguration |
    Where { $_.IPAddress } | # filter the objects where an address actually exists
    Select -Expand IPAddress | # retrieve only the property *value*
    Where { $_ -notlike '*:*' }
$fileNameDate = Get-Date -format yyyyMMddhhmm
$endDate = Get-Date
$startTime = GetMilliseconds($startDate)
$endTime = GetMilliseconds($endDate)

foreach ($eventLogName in $eventLogNames)
{
    Write-Host "Processing Log: " $eventLogName

<# - Remove comment to create csv version of log files  
    $csvFile = $fileNameDate + "_" + $serverIP +"_" + $eventLogName + ".csv"
    Write-Host "Creating CSV Log: " $csvFile
    Get-EventLog -LogName $eventLogName -ComputerName $serverName -After $startDate -ErrorAction     SilentlyContinue | Sort MachineName, TimeWritten | Select MachineName, Source, TimeWritten, EventID, EntryType, Message | Export-CSV $csvFile #ConvertTo-CSV #Format-Table -Wrap -Property Source, TimeWritten, EventID, EntryType, Message -Autosize -NoTypeInformation
#>
    $evtxFile = $fileNameDate + "_" + $serverIP + "_" + $eventLogName + ".evtx"
    Write-Host "Creating EVTX Log: " $evtxFile
    wevtutil epl $eventLogName $evtxFile /q:"*[System[TimeCreated[timediff(@SystemTime) >=   $endTime] and TimeCreated[timediff(@SystemTime) <= $startTime]]]"
}
-1
votes

Why do I get Failed to export log Security. The specified query is invalid. I get this for each type of event log (system, application etc). This happens only to evtx export. I get the csv file tho`....