0

I am tasked to take a backup of all the eventlogs across all the servers and retain them for 30 days. I written a simple powershell to do this.

Get-winevent  -Listlog  * | select  Logname, Logfilepath | ForEach-Object -Process { 
$name = $_.Logname
$path = $_.logfilepath
wevtutil.exe EPL $name  C:\Users\Owner\Desktop\eventlogs\$name.evtx`
}

This exports the log files for the NTclassic event logs only, for the rest of the logs i get a system cannot find the path specified error. I changed the wevtutil and included the /lf parameter and passed the $path variable, its still the same. Except for the classic logs, for everything else the below is the error i get.

wevtutil.exe : Failed to export log Microsoft-Windows-WPD-MTPClassDriver/Operational. 
The system cannot find the path specified.
At line:19 char:1
+ wevtutil.exe EPL $name  C:\Users\Owner\Desktop\eventlogs\$name.evtx
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Failed to expor...path specified.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandErrorBlockquote

is there any other better way to accomplish what i am trying to do pls ?

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
Teja
  • 45
  • 1
  • 5
  • The error 'NativeCommandErrorBlockquote' indicates a quoting issue calling `wevtutil.exe`. It's difficult to tell what exactly as you've mixed block quote markdown with code formatting. Please review your provided code and correct the markdown. – jscott Apr 10 '17 at 11:55

2 Answers2

1

The problem is the $name variable. If you check which export files get created an which not you'll notice that all log names that contain a forward slash / generate the error message. The reason for this is that the / is an invalid character in a file name (under Windows).

You can run the export by replacing the / with a valid character:

Get-winevent  -Listlog  * | select  Logname, Logfilepath | ForEach-Object -Process { 
$name = $_.Logname
$safename = $name.Replace("/","-")
wevtutil.exe EPL $name  C:\Users\Owner\Desktop\eventlogs\$safename.evtx
}
Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • Thank you mate, i kept looking at the wrong place, as the error says, failed to export the logs but in reality it couldn't save the exported logs cause of file naming constraints. Good spot there. thanks. – Teja Apr 10 '17 at 14:06
0

You can install a centralized Syslog server (i.e. Graylog) and forward all events from every server there with something like NXLog. This way you'll get superior manageability and security for your logs...

Anubioz
  • 3,677
  • 18
  • 23