• Author
• Recent Posts

Jeffery Hicks

Jeff Hicks is a long-time Microsoft MVP specializing in PowerShell and automation. He creates PowerShell content for Pluralsight and blogs regularly at https://jdhitsolutions.com/blog. Jeff's latest project is a premium content newsletter at jeffhicks.substack.com Follow him on Twitter as @jeffhicks.

Latest posts by Jeffery Hicks (see all)

• Use PowerShell splatting and PSBoundParameters to pass parameters - Wed, Nov 9 2022
• Using PowerShell with $PSStyle - Mon, Jan 24 2022
• Clean up user profiles with PowerShell - Mon, Jun 9 2014

I also wanted to develop a technique that could remotely create the backup and move to a shared folder that using PowerShell’s remoting ports and did not rely on DCOM or RPC, well at least from your computer to the remote computer. On the back end the file copy from the remote server to the shared folder will still need to be a traditional file transfer. But we’re getting ahead of ourselves.

Using CIM Cmdlets

From my desktop running PowerShell 3, I can get a classic event log using Get-CIMInstance.

$logname = "Security"
$log = Get-CimInstance win32_nteventlogfile -filter "logfilename = '$logname'" -ComputerName CHI-FP02

Using the CIM cmdlets I can make a WMI query over the same remoting port that PowerShell uses. This means no DCOM or RPC.

As I did in the previous article I’m going to define the name of a backup file that includes a time stamp, the computer name, and the name of the event log with any spaces removed.

$file = "{0}_{1}_{2}.evtx" -f (Get-Date -f "yyyyMMddhhmm"),$log.PSComputerName,$log.FileName.Replace(" ","")

The file stamp is in the format YearMonthDayHourMinute and it is case-sensitive. I’m going to backup to a local directory on CHI-FP02.

$backup = join-path "c:\backup" $file

I’ll create the backup itself using the Invoke-CIMMethod cmdlet.

$log | Invoke-CimMethod -Name BackupEventlog -Arguments @{ArchiveFileName=$backup}

As with WMI, I’ll get an object with a ReturnValue indicating success. I can also check the directory via remoting as I’ve done in the screenshot below.

Check a directory via remoting

I could repeat this for as many logs as I want or scale this out to backup the same log on multiple computers, ideally to the same local folder.

$computers = "chi-dc01","chi-fp01","chi-dc04","chi-fp02"
$logname = "System"
$logs = Get-CimInstance win32_nteventlogfile -filter "logfilename = '$logname'" -ComputerName $computers

foreach ($log in $logs) {
$file = "{0}_{1}_{2}.evtx" -f (Get-Date -f "yyyyMMddhhmm"),$log.PSComputerName,$log.FileName.Replace(" ","")
$backup = join-path "c:\backup" $file
$log | Invoke-CimMethod -Name BackupEventlog -Arguments @{ArchiveFileName=$backup}
}

Because I wanted each server backup to have a unique name, I used a ForEach loop.

Remote copy

Now I need to move the file from C:\Backup to a network share. Again, I want to do this all remotely which poses a 2^nd hop challenge. So without resorting to CredSSP here’s a technique that should work. First, I’m going to need a credential that I can use on the remote computer.

$cred = Get-Credential globomantics\administrator

I could use this credential and map a PSDrive as I did in the previous article. An alternative is to use the legacy NET USE command and specify credentials. For that I need the user name in the format domain\username and the password as a plain text string. I can get that from my saved credential.

$user = $cred.UserName
$pass = $cred.GetNetworkCredential().Password

I can use these variables with Invoke-Command to “map” a connection to the IPC$ share on the file server. This is a way of authenticating to the server without having to map an actual drive. But once authenticated, my Move-Item command will work.

invoke-command {
 net use \\chi-fp01\ipc$ /user:$Using:user $using:pass
 dir c:\backup\*.evtx | move-item -Destination \\chi-fp01\it -Force -PassThru

} -ComputerName $computers

The connection from my desktop to CHI-FP02 is encrypted as part of the temporary remote PSSession and uses the default remoting port. But the file copy from CHI-FP02 to CHI-FP01 is falling back to old-fashioned RPC and I can’t guarantee that the credentials passed with the NET USE command won’t be in clear text. You’ll have to test if this is a concern or use alternate methods to move the backup file, if that is something you need to do. But if you are ok with this approach, the screenshot shows that it works.

Remote backup with PowerShell

Another alternative that comes to mind is to setup a scheduled PowerShell job on the remote computers to use the BITSTransfer module to copy the event log backup to the file share. It would have been much easier if we could use the BITS cmdlets in a remote session, but sadly that is not supported.

Clearing event logs

At this point, all that remains is clearing the event log and this is the easiest step in the entire management process, using Clear-Eventlog.

PS C:\> clear-eventlog "windows powershell" -comp chi-dc04

This will run without question or warning. If you are a little nervous, use –confirm as I do in the screenshot.

Clearing event logs

Clearing a log for multiple computers is just as easy.

PS C:\> clear-eventlog "windows powershell" -comp $computers

You can even clear multiple event logs on multiple computers with a single command.

PS C:\> clear-eventlog "windows powershell","system","application" -comp $computers

Naturally, make sure you have a backup just in case.

Summary

Managing classic event logs with PowerShell is actually pretty simple. I’ve demonstrated a few techniques using the cmdlets. I encourage you to read full cmdlet help and examples for everything I’ve shown you and test all of this in a non-production environment.