44
55 . DESCRIPTION
66 This Script Collects Event Log data from Remote Servers and the Local Machine if defined. It will collect all of these and finally zip the files up into a easy to transport zip file.
7- If you need to collect more logs than just Application, System, and Operations Manager. Please change line 35 [String[]]$Logs.
7+ If you need to collect more logs than just Application, System, and Operations Manager. Please change line 81 [String[]]$Logs.
88
99 . PARAMETER Servers
1010 Add DNS Hostnames you would like to retrieve the Event Logs from like this: Agent1.contoso.com, Agent2.contoso.com
3737# --------------------------------------------------------------------
3838# --------------------------------------------------------------------
3939
40- # Modify this if you need more logs
41- if ($Logs -eq $null )
42- {
43- [String []]$Logs = ' Application' , ' System' , ' Security' , ' Operations Manager' , ' Microsoft-Windows-PowerShell/Operational'
44- }
45-
4640$DefinedServers = $null
4741
4842# Add FQDN of Servers here (Comment this line to run against the local machine):
@@ -68,15 +62,25 @@ function Get-EventLogs
6862 [CmdletBinding ()]
6963 param
7064 (
71- [Parameter (Mandatory = $false ,
72- Position = 1 )]
73- [String []]$Servers ,
74- [Parameter (Position = 2 )]
75- [string ]$CaseNumber
65+ [Parameter (Mandatory = $false ,
66+ Position = 1 )]
67+ [String []]$Servers ,
68+ [Parameter (Mandatory = $false ,
69+ Position = 2 )]
70+ [String []]$Logs ,
71+ [Parameter (Mandatory = $false ,
72+ Position = 3 )]
73+ [string ]$CaseNumber
7674 )
7775
7876 $ScriptPath = " $env: USERPROFILE \Documents"
79-
77+
78+ # Modify this if you need more logs
79+ if ($Logs -eq $null )
80+ {
81+ [String []]$Logs = ' Application' , ' System' , ' Security' , ' Operations Manager' , ' Microsoft-Windows-PowerShell/Operational'
82+ }
83+
8084 if ($CaseNumber )
8185 {
8286 $CaseNumber | Out-String
@@ -110,80 +114,83 @@ function Get-EventLogs
110114 Write-Host " $server " - ForegroundColor Green
111115 foreach ($log in $logs )
112116 {
113- $availableLogs = Get-EventLog * | Select Log - ExpandProperty Log
114- if ($log -notin $availableLogs )
117+ $availableLogs = $null
118+ $availableLogs = Get-EventLog * - ComputerName $server | Select Log - ExpandProperty Log
119+ if ($log -notin $availableLogs )
120+ {
121+ $logText = $log.ToString ().Replace(" /" , " ."
122+ Out-File " $OutputPath `\Unable to Locate $logText on $server "
123+ continue
124+ }
125+ else
126+ {
127+ Time- Stamp
128+ Write-Host " Exporting log: " - NoNewline
129+ Write-Host $log - ForegroundColor Magenta - NoNewline
130+ Write-Host " "
131+ if ($server -notmatch $env: COMPUTERNAME )
115132 {
116- continue
117- }
118- else
119- {
120- Time- Stamp
121- Write-Host " Exporting log: " - NoNewline
122- Write-Host $log - ForegroundColor Magenta - NoNewline
123- Write-Host " "
124- if ($server -notmatch $env: COMPUTERNAME )
125- {
126- try
127- {
128- if ($log -like ' */*'
129- { $logname = $log.split (' /' 0 ] }
130- else { $logname = $log }
131- Invoke-Command - ComputerName $server {
132- $fileCheck = test-path " c:\windows\Temp\$using :server `.$using :logname .evtx"
133- if ($fileCheck -eq $true )
134- {
135- Remove-Item " c:\windows\Temp\$using :server `.$using :logname .evtx" - Force
136- }
137- wevtutil epl $using :log " c:\windows\Temp\$using :server .$using :logname .evtx"
138- wevtutil al " c:\windows\Temp\$using :server `.$using :logname .evtx"
139- } - ErrorAction Stop
140- $fileCheck2 = test-path " $OutputPath \$server " - ErrorAction Stop
141- if (! ($fileCheck2 ))
142- {
143- New-Item - ItemType directory - Path " $OutputPath " - Name " $server " - ErrorAction Stop | Out-Null
144- New-Item - ItemType directory - Path " $OutputPath \$server " - Name " localemetadata" - ErrorAction Stop | Out-Null
145- }
146- Move-Item " \\$server \c$\windows\temp\$server .$logname .evtx" " $OutputPath \$server " - force - ErrorAction Stop
147- # "Get-ChildItem \\$server\c$\windows\temp\localemetadata\"
148- Get-ChildItem " \\$server \c$\windows\temp\localemetadata\" - ErrorAction Stop |
149- where { $_.name -like " *$server *" -and $_.name -like " *$logname *" |
150- Move-Item - Destination " $OutputPath \$server \localemetadata\" - force - ErrorAction Stop
151- }
152- catch
153- {
154- Time- Stamp
155- Write-Warning " $_ "
156- break
157- }
158-
159- }
160- else
133+ try
161134 {
162135 if ($log -like ' */*'
163136 { $logname = $log.split (' /' 0 ] }
164137 else { $logname = $log }
165- $fileCheck = test-path " c:\windows\Temp\$server .$logname .evtx"
166- if ($fileCheck -eq $true )
167- {
168- Remove-Item " c:\windows\Temp\$server .$logname .evtx" - Force | Out-Null
169- }
170- wevtutil epl $log " c:\windows\Temp\$server .$logname .evtx"
171- wevtutil al " c:\windows\Temp\$server .$logname .evtx"
172-
173- $fileCheck2 = test-path " $OutputPath \$server "
138+ Invoke-Command - ComputerName $server {
139+ $fileCheck = test-path " c:\windows\Temp\$using :server `.$using :logname .evtx"
140+ if ($fileCheck -eq $true )
141+ {
142+ Remove-Item " c:\windows\Temp\$using :server `.$using :logname .evtx" - Force
143+ }
144+ wevtutil epl $using :log " c:\windows\Temp\$using :server .$using :logname .evtx"
145+ wevtutil al " c:\windows\Temp\$using :server `.$using :logname .evtx"
146+ } - ErrorAction Stop
147+ $fileCheck2 = test-path " $OutputPath \$server " - ErrorAction Stop
174148 if (! ($fileCheck2 ))
175149 {
176- New-Item - ItemType directory - Path " $OutputPath " - Name " $server " | Out-Null
177- New-Item - ItemType directory - Path " $OutputPath \$server " - Name " localemetadata" | Out-Null
150+ New-Item - ItemType directory - Path " $OutputPath " - Name " $server " - ErrorAction Stop | Out-Null
151+ New-Item - ItemType directory - Path " $OutputPath \$server " - Name " localemetadata" - ErrorAction Stop | Out-Null
178152 }
179- Move-Item " C:\ windows\temp\$server .$logname .evtx" " $OutputPath \$server " - force
153+ Move-Item " \\ $server \c$\ windows\temp\$server .$logname .evtx" " $OutputPath \$server " - force - ErrorAction Stop
180154 # "Get-ChildItem \\$server\c$\windows\temp\localemetadata\"
181- Get-ChildItem " C:\ windows\temp\localemetadata\" |
155+ Get-ChildItem " \\ $server \c$\ windows\temp\localemetadata\" - ErrorAction Stop |
182156 where { $_.name -like " *$server *" -and $_.name -like " *$logname *" |
183- Move-Item - Destination " $OutputPath \$server \localemetadata\" - force
157+ Move-Item - Destination " $OutputPath \$server \localemetadata\" - force - ErrorAction Stop
158+ }
159+ catch
160+ {
161+ Time- Stamp
162+ Write-Warning " $_ "
163+ break
164+ }
165+
166+ }
167+ else
168+ {
169+ if ($log -like ' */*'
170+ { $logname = $log.split (' /' 0 ] }
171+ else { $logname = $log }
172+ $fileCheck = test-path " c:\windows\Temp\$server .$logname .evtx"
173+ if ($fileCheck -eq $true )
174+ {
175+ Remove-Item " c:\windows\Temp\$server .$logname .evtx" - Force | Out-Null
176+ }
177+ wevtutil epl $log " c:\windows\Temp\$server .$logname .evtx"
178+ wevtutil al " c:\windows\Temp\$server .$logname .evtx"
179+
180+ $fileCheck2 = test-path " $OutputPath \$server "
181+ if (! ($fileCheck2 ))
182+ {
183+ New-Item - ItemType directory - Path " $OutputPath " - Name " $server " | Out-Null
184+ New-Item - ItemType directory - Path " $OutputPath \$server " - Name " localemetadata" | Out-Null
184185 }
186+ Move-Item " C:\windows\temp\$server .$logname .evtx" " $OutputPath \$server " - force
187+ # "Get-ChildItem \\$server\c$\windows\temp\localemetadata\"
188+ Get-ChildItem " C:\windows\temp\localemetadata\" |
189+ where { $_.name -like " *$server *" -and $_.name -like " *$logname *" |
190+ Move-Item - Destination " $OutputPath \$server \localemetadata\" - force
185191 }
186192 }
193+ }
187194
188195 }
189196 # Zip output
0 commit comments