Backing Up Event Logs

by Mar 9, 2018

There are a number of useful cmdlets to manage event logs, however one functionality is missing:

 
PS> Get-Command -Noun EventLog 

CommandType Name            Version Source                         
----------- ----            ------- ------                         
Cmdlet      Clear-EventLog  3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Get-EventLog    3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Limit-EventLog  3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      New-EventLog    3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Remove-EventLog 3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Show-EventLog   3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Write-EventLog  3.1.0.0 Microsoft.PowerShell.Management 

There is no cmdlet to backup an event log to an *.evtx file. Let’s create one:

function Backup-Eventlog
{
    param
    (
        [Parameter(Mandatory)]
        [string]
        $LogName,

        [Parameter(Mandatory)]
        [string]
        $DestinationPath
    )

    $eventLog = Get-WmiObject -Class Win32_NTEventLOgFile  -filter "FileName='$LogName'"
    if ($eventLog -eq $null)
    {
        throw "Eventlog '$eventLog' not found."
    }
    
    [int]$status = $eventLog.BackupEventlog($DestinationPath).ReturnValue
    New-Object -TypeName ComponentModel.Win32Exception($status)
}

And here’s an example of how easy it is now to backup an event log:

 
PS> Backup-Eventlog -LogName Application -DestinationPath c:\test\backup.evtx
The operation completed successfully

PS> Backup-Eventlog -LogName Application -DestinationPath c:\test\backup.evtx
The file exists

PS>  

Are you an experienced professional PowerShell user? Then learning from default course work isn’t your thing. Consider learning the tricks of the trade from one another! Meet the most creative and sophisticated fellow PowerShellers, along with Microsoft PowerShell team members and PowerShell inventor Jeffrey Snover. Attend this years’ PowerShell Conference EU, taking place April 17-20 in Hanover, Germany, for the leading edge. 35 international top speakers, 80 sessions, and security workshops are waiting for you, including two exciting evening events. The conference is limited to 300 delegates. More details at www.psconf.eu.

Twitter This Tip! ReTweet this Tip!