There are a number of useful cmdlets to manage event logs, however one functionality is missing:
PS> Get-Command -Noun EventLog CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Clear-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Get-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Limit-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet New-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Remove-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Show-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Write-EventLog 3.1.0.0 Microsoft.PowerShell.Management
There is no cmdlet to backup an event log to an *.evtx file. Let’s create one:
function Backup-Eventlog { param ( [Parameter(Mandatory)] [string] $LogName, [Parameter(Mandatory)] [string] $DestinationPath ) $eventLog = Get-WmiObject -Class Win32_NTEventLOgFile -filter "FileName='$LogName'" if ($eventLog -eq $null) { throw "Eventlog '$eventLog' not found." } [int]$status = $eventLog.BackupEventlog($DestinationPath).ReturnValue New-Object -TypeName ComponentModel.Win32Exception($status) }
And here’s an example of how easy it is now to backup an event log:
PS> Backup-Eventlog -LogName Application -DestinationPath c:\test\backup.evtx The operation completed successfully PS> Backup-Eventlog -LogName Application -DestinationPath c:\test\backup.evtx The file exists PS>
Are you an experienced professional PowerShell user? Then learning from default course work isn’t your thing. Consider learning the tricks of the trade from one another! Meet the most creative and sophisticated fellow PowerShellers, along with Microsoft PowerShell team members and PowerShell inventor Jeffrey Snover. Attend this years’ PowerShell Conference EU, taking place April 17-20 in Hanover, Germany, for the leading edge. 35 international top speakers, 80 sessions, and security workshops are waiting for you, including two exciting evening events. The conference is limited to 300 delegates. More details at www.psconf.eu.
