Technology Toolbox

Your technology Sherpa for the Microsoft platform

Jeremy Jameson - Founder and Principal

Search

Search

Script to Save Event Logs

Note
This post originally appeared on my MSDN blog:

Since I no longer work for Microsoft, I have copied it here in case that blog ever goes away.

Earlier this week, I shared a script that I frequently use in my development environments to clear the event logs (for example, whenever I want to verify that one of my VMs "boots clean" -- meaning without any errors or warnings). Note that prior to clearing each of the event logs, the script first saves a copy (to C:\ with a timestamp in the filename) just in case I need to go back and look at them.

While you could easily modify the original script I provided in order to save -- but not clear -- the event logs, as I was writing my previous post this morning, I thought it would be helpful to share a different script in which I have already done just that.

Here is the script that I occasionally use whenever I need to analyze event logs from a Production environment. I typically ask one of the members of the Operations team to run the script for me (for each of the servers that I need to analyze) and subsequently copy the saved copies of the event logs to some location that I actually have access to. [I don't typically have -- nor want -- access to the Production environments on projects I'm involved with.]

Note that I am typically only interested in the Application and System logs. If you want to save copies of other event logs, you'll need to tweak the script below.

Save Event Logs.vbs

If WScript.Arguments.Count > 1 Then
    WScript.Echo
    WScript.Echo "Usage: cscript ""Save Event Logs.vbs"" [computer name]"
    WScript.Echo
    WScript.Quit
End If

Dim strComputer ' As String

If WScript.Arguments.Count > 0 Then
    strComputer= WScript.Arguments(0)
Else
    strComputer= "localhost"
End If

SaveEventLogs strComputer

WScript.Echo "Done"

Private Sub SaveEventLogs(strComputer)
    WScript.Echo "Saving event logs on " & strComputer & "..."

    SaveEventLog strComputer, "Application"
    'SaveEventLog strComputer, "Security"
    SaveEventLog strComputer, "System"
End Sub

Private Sub SaveEventLog(strComputer, strEventLogName)
    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate,(Backup)}!\\" & _
            strComputer & "\root\cimv2")

    Set colLogFiles = objWMIService.ExecQuery _
        ("Select * from Win32_NTEventLogFile where LogFileName='" _
            & strEventLogName & "'")

    For Each objLogfile in colLogFiles
        Dim backupFilename
        backupFilename = "\"

        If (Not strComputer = "localhost") Then
            backupFilename = backupFilename & strComputer & "_"
        End If

        backupFilename = backupFilename & strEventLogName & "_" _
            & GetFormattedTimestamp() & ".evt"

        errBackupLog = objLogFile.BackupEventLog(backupFilename)
        If errBackupLog <> 0 Then        
            WScript.Echo "The " & strEventLogName & " event log on " _
                & strComputer & " could not be backed up."
        End If
    Next
End Sub

Private Function GetFormattedTimestamp
    Dim timestamp
    timestamp = Now

    GetFormattedTimestamp = Year(timestamp) _
        & LPad(Month(timestamp), 2, "0") _
        & LPad(Day(timestamp), 2, "0") _
        & "_" & Replace(FormatDateTime(timestamp, 4),":","")
	
End Function

Private Function LPad(strValue, nLength, strPadCharacter)
    Dim strPaddedValue

    strPaddedValue = strValue

    While (Len(strPaddedValue) < nLength)
        strPaddedValue = strPadCharacter & strPaddedValue
    WEnd

    LPad = strPaddedValue
End Function

Comments

No comments posted yet.

Add Comment

Optional, but recommended (especially if you have a Gravatar). Note that your email address will not appear with your comment.
If URL is specified, it will be included as a link with your name.

To prevent spam from being submitted, please select the following fruit: Strawberry

Grapes
Cherries
Strawberry
Pear
Apple
Watermelon
 
Please add 1 and 6 and type the answer here: