{"id":59,"date":"2012-07-27T09:25:36","date_gmt":"2012-07-27T14:25:36","guid":{"rendered":"https:\/\/sysadminnightmare.com\/?p=59"},"modified":"2012-07-27T09:25:36","modified_gmt":"2012-07-27T14:25:36","slug":"power-shell-script-to-clear-and-save-event-logs","status":"publish","type":"post","link":"https:\/\/sysadminnightmare.com\/index.php\/2012\/07\/27\/power-shell-script-to-clear-and-save-event-logs\/","title":{"rendered":"Power Shell Script to Clear and Save Event Logs"},"content":{"rendered":"

This is a work in progress script that will Save and clear event logs. I got this from http:\/\/technet.microsoft.com\/en-us\/magazine\/2009.07.heyscriptingguy.aspx<\/a><\/p>\n

In the futre I will be adding code to upload the files to Sharepoint Document Library or List (still thinking of the best way I want to review these). I will link to that part and blog post when I complete.<\/p>\n

[code]<\/p>\n

Param(
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $LogsArchive = “c:logarchive”,
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $List,
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $computers,
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [switch]$AD,
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [switch]$Localhost,
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [switch]$clear,
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [switch]$Help
\n\u00a0\u00a0\u00a0\u00a0 )
\nFunction Get-ADComputers
\n{
\n\u00a0$ds = New-Object DirectoryServices.DirectorySearcher
\n\u00a0$ds.Filter = “ObjectCategory=Computer”
\n\u00a0$ds.FindAll() |
\n\u00a0\u00a0\u00a0\u00a0 ForEach-Object { $_.Properties[‘dnshostname’]}
\n} #end Get-AdComputers<\/p>\n

Function Test-ComputerConnection
\n{
\n\u00a0ForEach($Computer in $Computers)
\n\u00a0{
\n\u00a0 $Result = Get-WmiObject -Class win32_pingstatus -Filter “address=’$computer'”
\n\u00a0 If($Result.Statuscode -eq 0)
\n\u00a0\u00a0 {
\n\u00a0\u00a0\u00a0\u00a0 if($computer.length -ge 1)
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host “+ Processing $Computer”
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Get-BackUpFolder
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }
\n\u00a0\u00a0 } #end if
\n\u00a0\u00a0 else { “Skipping $computer .. not accessible” }
\n\u00a0} #end Foreach
\n} #end Test-ComputerConnection<\/p>\n

 <\/p>\n

Function Get-BackUpFolder
\n{
\n\u00a0$Folder = “{1}-Logs-{0:MMddyymm}” -f [DateTime]::now,$computer
\n\u00a0 New-Item “$LogsArchive$folder” -type Directory -force\u00a0 | out-Null
\n\u00a0 If(!(Test-Path “\\$computerc$LogFolder$folder<\/a>“))
\n\u00a0\u00a0\u00a0 {
\n\u00a0\u00a0\u00a0\u00a0\u00a0 New-Item “\\$computerc$LogFolder$folder<\/a>” -type Directory -force | out-Null
\n\u00a0\u00a0\u00a0 } #end if
\n\u00a0Backup-EventLogs($Folder)
\n} #end Get-BackUpFolder<\/p>\n

Function Backup-EventLogs
\n{
\n\u00a0$Eventlogs = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $computer
\n\u00a0Foreach($log in $EventLogs)
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $path = “\\{0}c$LogFolder$folder{1}.evt<\/a>” -f $Computer,$log.LogFileName
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $ErrBackup = ($log.BackupEventLog($path)).ReturnValue
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if($clear)
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if($ErrBackup -eq 0)
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $errClear = ($log.ClearEventLog()).ReturnValue
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 } #end if
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 else
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 “Unable to clear event log because backup failed”
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 “Backup Error was ” + $ErrBackup
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 } #end else
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 } #end if clear
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Copy-EventLogsToArchive -path $path -Folder $Folder
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 } #end foreach log
\n} #end Backup-EventLogs<\/p>\n

Function Copy-EventLogsToArchive($path, $folder)
\n{
\n\u00a0Copy-Item -path $path -dest “$LogsArchive$folder” -force
\n} # end Copy-EventLogsToArchive<\/p>\n

Function Get-HelpText
\n{
\n\u00a0$helpText= `
\n@”
\n\u00a0DESCRIPTION:
\n\u00a0NAME: BackUpAndClearEventLogs.ps1
\n\u00a0This script will backup, archive, and clear the event logs on
\n\u00a0both local and remote computers. It will accept a computer name,
\n\u00a0query AD, or read a text file for the list of computers.<\/p>\n

\u00a0PARAMETERS:
\n\u00a0-LogsArchive local or remote collection of all computers event logs
\n\u00a0-List path to a list of computer names to process
\n\u00a0-Computers one or more computer names typed in
\n\u00a0-AD switch that causes script to query AD for all computer accounts
\n\u00a0-Localhost switch that runs script against local computer only
\n\u00a0-Clear switch that causes script to empty the event log if the back succeeds
\n\u00a0-Help displays this help topic<\/p>\n

\u00a0SYNTAX:
\n\u00a0BackUpAndClearEventLogs.ps1 -LocalHost<\/p>\n

\u00a0Backs up all event logs on local computer. Archives them to C:logarchive.<\/p>\n

\u00a0BackUpAndClearEventLogs.ps1 -AD -Clear<\/p>\n

\u00a0Searches AD for all computers. Connects to these computers, and backs up all event
\n\u00a0logs. Archives all event logs to C:logarchive. It then clears all event logs
\n\u00a0if the backup operation was successful.<\/p>\n

\u00a0BackUpAndClearEventLogs.ps1 -List C:fsoListOfComputers.txt<\/p>\n

\u00a0Reads the ListOfComputers.txt file to obtain a list of computer. Connects to these
\n\u00a0computers, and backs up all event logs. Archives all event logs to C:logarchive.<\/p>\n

\u00a0BackUpAndClearEventLogs.ps1 -Computers “Berlin,Vista” -LogsArchive “\\berlinC$fsoLogs<\/a>”<\/p>\n

\u00a0Connects to a remote computers named Berlin and Vista, and backs up\u00a0\u00a0\u00a0 all event
\n\u00a0logs. Archives all event logs from all computers to the path c:fsoLogs directory on
\n\u00a0\u00a0 a remote computer named Berlin.<\/p>\n

BackUpAndClearEventLogs.ps1 -help<\/p>\n

Prints the help topic for the script
\n“@ #end helpText
\n\u00a0 $helpText
\n}<\/p>\n

# *** Entry Point To Script ***<\/p>\n

If($AD) { $Computers = Get-ADComputers; Test-ComputerConnection; exit }
\nIf($List) { $Computers = Get-Content -path $list; Test-ComputerConnection; exit }
\nIf($LocalHost) { $computers = $env:computerName; Test-ComputerConnection; exit }
\nIf($Computers)
\n\u00a0 {
\n\u00a0\u00a0 if($Computers.Contains(“,”)) {$Computers = $Computers.Split(“,”)}
\n\u00a0\u00a0 Test-ComputerConnection; exit
\n\u00a0 }
\nIf($help) { Get-HelpText; exit }
\n“Missing parameters” ; Get-HelpText<\/p>\n

[\/code]<\/p>\n

 <\/p>\n

basically to run this create a Script (powershell if you like) or just type:<\/p>\n

 <\/p>\n

c:BackupAndClearEventLogs.ps1 -Computers “Server1,Server2” -LogsArchive “c:logs”<\/p>\n","protected":false},"excerpt":{"rendered":"

This is a work in progress script that will Save and clear event logs. I got this from http:\/\/technet.microsoft.com\/en-us\/magazine\/2009.07.heyscriptingguy.aspx In the futre I will be adding code to upload the files to Sharepoint Document Library or List (still thinking of the best way I want to review these). I will… Continue reading → <\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[2],"tags":[35,39],"class_list":["post-59","post","type-post","status-publish","format-standard","hentry","category-admin","tag-powershell","tag-scripting"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2bgeE-X","_links":{"self":[{"href":"https:\/\/sysadminnightmare.com\/index.php\/wp-json\/wp\/v2\/posts\/59","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sysadminnightmare.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sysadminnightmare.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sysadminnightmare.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sysadminnightmare.com\/index.php\/wp-json\/wp\/v2\/comments?post=59"}],"version-history":[{"count":0,"href":"https:\/\/sysadminnightmare.com\/index.php\/wp-json\/wp\/v2\/posts\/59\/revisions"}],"wp:attachment":[{"href":"https:\/\/sysadminnightmare.com\/index.php\/wp-json\/wp\/v2\/media?parent=59"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sysadminnightmare.com\/index.php\/wp-json\/wp\/v2\/categories?post=59"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sysadminnightmare.com\/index.php\/wp-json\/wp\/v2\/tags?post=59"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}