In the previous article I demonstrated some techniques using Get-WMIObject to backup classic event logs. If you have PowerShell 3, there is another option I want to show you. I will also demonstrate how to clear event logs.
Avatar

I also wanted to develop a technique that could remotely create the backup and move to a shared folder that using PowerShell’s remoting ports and did not rely on DCOM or RPC, well at least from your computer to the remote computer. On the back end the file copy from the remote server to the shared folder will still need to be a traditional file transfer. But we’re getting ahead of ourselves.

Using CIM Cmdlets

From my desktop running PowerShell 3, I can get a classic event log using Get-CIMInstance.

$logname = "Security"
$log = Get-CimInstance win32_nteventlogfile -filter "logfilename = '$logname'" -ComputerName CHI-FP02

Using the CIM cmdlets I can make a WMI query over the same remoting port that PowerShell uses. This means no DCOM or RPC.

As I did in the previous article I’m going to define the name of a backup file that includes a time stamp, the computer name, and the name of the event log with any spaces removed.

$file = "{0}_{1}_{2}.evtx" -f (Get-Date -f "yyyyMMddhhmm"),$log.PSComputerName,$log.FileName.Replace(" ","")

The file stamp is in the format YearMonthDayHourMinute and it is case-sensitive. I’m going to backup to a local directory on CHI-FP02.

$backup = join-path "c:\backup" $file

I’ll create the backup itself using the Invoke-CIMMethod cmdlet.

$log | Invoke-CimMethod -Name BackupEventlog -Arguments @{ArchiveFileName=$backup}

As with WMI, I’ll get an object with a ReturnValue indicating success. I can also check the directory via remoting as I’ve done in the screenshot below.

Check a directory via remoting

Check a directory via remoting

I could repeat this for as many logs as I want or scale this out to backup the same log on multiple computers, ideally to the same local folder.

$computers = "chi-dc01","chi-fp01","chi-dc04","chi-fp02"
$logname = "System"
$logs = Get-CimInstance win32_nteventlogfile -filter "logfilename = '$logname'" -ComputerName $computers

foreach ($log in $logs) {
$file = "{0}_{1}_{2}.evtx" -f (Get-Date -f "yyyyMMddhhmm"),$log.PSComputerName,$log.FileName.Replace(" ","")
$backup = join-path "c:\backup" $file
$log | Invoke-CimMethod -Name BackupEventlog -Arguments @{ArchiveFileName=$backup}
}

Because I wanted each server backup to have a unique name, I used a ForEach loop.

Remote copy

Now I need to move the file from C:\Backup to a network share. Again, I want to do this all remotely which poses a 2nd hop challenge. So without resorting to CredSSP here’s a technique that should work. First, I’m going to need a credential that I can use on the remote computer.

$cred = Get-Credential globomantics\administrator

I could use this credential and map a PSDrive as I did in the previous article. An alternative is to use the legacy NET USE command and specify credentials. For that I need the user name in the format domain\username and the password as a plain text string. I can get that from my saved credential.

$user = $cred.UserName
$pass = $cred.GetNetworkCredential().Password

I can use these variables with Invoke-Command to “map” a connection to the IPC$ share on the file server. This is a way of authenticating to the server without having to map an actual drive. But once authenticated, my Move-Item command will work.

invoke-command {
 net use \\chi-fp01\ipc$ /user:$Using:user $using:pass
 dir c:\backup\*.evtx | move-item -Destination \\chi-fp01\it -Force -PassThru

} -ComputerName $computers

The connection from my desktop to CHI-FP02 is encrypted as part of the temporary remote PSSession and uses the default remoting port. But the file copy from CHI-FP02 to CHI-FP01 is falling back to old-fashioned RPC and I can’t guarantee that the credentials passed with the NET USE command won’t be in clear text. You’ll have to test if this is a concern or use alternate methods to move the backup file, if that is something you need to do. But if you are ok with this approach, the screenshot shows that it works.

Remote backup with Powershell

Remote backup with PowerShell

Another alternative that comes to mind is to setup a scheduled PowerShell job on the remote computers to use the BITSTransfer module to copy the event log backup to the file share. It would have been much easier if we could use the BITS cmdlets in a remote session, but sadly that is not supported.

Clearing event logs

At this point, all that remains is clearing the event log and this is the easiest step in the entire management process, using Clear-Eventlog.

PS C:\> clear-eventlog "windows powershell" -comp chi-dc04

This will run without question or warning. If you are a little nervous, use –confirm as I do in the screenshot.

Clearing event logs

Clearing event logs

Clearing a log for multiple computers is just as easy.

PS C:\> clear-eventlog "windows powershell" -comp $computers

You can even clear multiple event logs on multiple computers with a single command.

PS C:\> clear-eventlog "windows powershell","system","application" -comp $computers

Naturally, make sure you have a backup just in case.

Summary

Managing classic event logs with PowerShell is actually pretty simple. I’ve demonstrated a few techniques using the cmdlets. I encourage you to read full cmdlet help and examples for everything I’ve shown you and test all of this in a non-production environment.

Articles in seriesEvent Log and PowerShell
9 Comments
  1. Avatar
    Ravindra 10 years ago

    Thanks for the post,but when i user clear-eventlog “system” -comp $computer then for most of the machines it works but for some (specially windows 7 machines) it says network path not found…could you please explain the reason for that and how can i overcome this.

  2. Avatar Author
    Jeff Hicks 10 years ago

    The first thing that comes to mind is that the remote computer is offline. Or it may not have a firewall exception for remote management. Or you may not have the right credentials. But I’d expect an access denied message if that was the case. I would try and clear the log for a single problem computer that you know is on and see what happens.

  3. Avatar
    Ravindra 10 years ago

    PS C:\BackupScript\Scripts> Clear-EventLog “system” -Comp abcd1234
    Clear-EventLog : The path to the “abcd1234” computer cannot be found.
    At line:1 char:15
    + Clear-EventLog <<< Test-Connection abcd1234

    WARNING: 2 columns do not fit into the display and were removed.

    Source Destination IPV4Address IPV6Address
    —— ———– ———– ———–
    DXB-ADC-02 abcd1234 10.2.10.40 {}
    DXB-ADC-02 abcd1234 10.2.10.40 {}
    DXB-ADC-02 abcd1234 10.2.10.40 {}
    DXB-ADC-02 abcd1234 10.2.10.40 {}

    That’s what initially i also thought,but in the above example i am able to ping the machine(Windows 7) but still getting the error message. Is there something i am missing.. I have some 200 windows 7 machines from which i need to delete the event logs from system.

  4. Avatar Author
    Jeff Hicks 10 years ago

    I’m thinking this is more of a firewall issue on the remote computer. Can you run any of these commands:

    get-eventlog -list -computer ABC
    get-wmiobject win32_bios -computer ABC
    get-hotfix -computer ABC

    If those fail with the same error verify the Windows Management Instrumentation service is running and that there is a firewall exception for remote management. If these commands fail, Clear-Eventlog will also fail.

  5. Avatar
    Ravindra 10 years ago

    Initially none of the below commands were working
    get-eventlog -list -computer ABC
    get-wmiobject win32_bios -computer ABC
    get-hotfix -computer ABC
    I checked the client machine abcd1234 (win 7) and after doing some R&D found that by default RemoteRegistry service is in stopped mode in all windows 7 M/C. I started the service in couple of client machines and all powershell cmds are now working fine..But the next challange is i have some 400+ machines where in i now need to start RemoteRegistry service..Is there any way i can automate it..

  6. Avatar
    Ravindra 10 years ago

    $computers = get-content C:\service.txt
    ForEach ($entry in $computers)
    {
    Get-Service “Remote Registry” -ComputerName $entry | start-service
    }

    The above mentioned is not working in windows 7..so looking for some alternative.

  7. Avatar Author
    Jeff Hicks 10 years ago

    Using Group Policy to configure services is the recommended way. At least the way I would do it. Somewhere I missed you were using Get-Process. That requires the Remote Registry service. For Get-Service and the WMI cmdlets, you need to ensure the firewall exception for remote management is enabled.

  8. Avatar
    Acacias.f 10 years ago

    Hello Ravindra, you can try the following to start the RemoteRegistry service on your Win7 computers.

    $computers = get-content C:\service.txt
    ForEach ($entry in $computers)
    {
    $services = gwmi win32_Service name -filter “name=’remoteregistry’ AND state=’stopped'” -computername $entry
    $services.StartService().$null
    }

  9. Avatar
    Fahd 7 years ago

    Hi ,
    $file = “{0}_{1}_{2}.evtx” -f (Get-Date -f “yyyyMMddhhmm”),$log.PSComputerName,$log.FileName.Replace(”
    “,””)

    Could you please explain these values “{0}_{1}_{2}.evtx” is used ? is this the file name with extention or anyother meaning for {0}_{1}_{2}.
    Thanks
    Fahd

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account