Saturday, September 27, 2008

Backing up remote eventlogs using WMIC

This week, I was out on an oil rig in the North Sea helping out in some fail-over testing. After the test, I had to collect eventlogs from all the computers involved and as I'm an scripting guy, I definitely did not want to do that manually. Now, this is a Windows Server 2003 and Windows XP environment. Furthermore, it is a highly restricted environment so I could not install PowerShell or plug in and use my own PC; I had to look elsewhere. First, I looked at Sysinternals's psloglist, but that could not do the job. It could either dump the eventlogs as text - I wanted binary - or it could dump as binary and empty the logs at the same time. I only wanted a backup. Next, I googled and live searched, but did not really find anything useful, when my old fried WMIC resurfaced in my mind. Wasn't there some method call in WMI, that could do the job?

Using my own PC, I could easily find the method. It was just a matter of writing gwmi win32_nt, pressing tab (as I naturally use PowerTab), selecting win32_NTEventlogFile and piping it into Get-Member -

gwmi win32_nteventlogfile | gm

And the method BackupEventlog showed up. I started wbemtest on a Windows XP PC and checked that the method also existed on Windows XP. After this, I started to figure out the WMIC command line - which quite often is hard to get right. I ended up with -


wmic /node:"server" nteventlog where "logfilename='system'" call backupeventlog "c:\system.evt"

Note, that the backup file specification is local to the remote node. I tried saving it back on the local PC with \\currentpc, but got access denied and I did not want to create a share for this. Also note that the WMIC alias for Win32_NTEventlogfile is NTEVENTLOG

Finally, I ended up with this backup.bat file. All.txt contains a list of the computers, I needed to get the logs from. Note that I delete the evt-files first as backupeventlog will not overwrite an existing file (if I needed to re-run the script)

set targetdir=%temp%\logs
for /f %%I in (all.txt) do del \\%%I\c$\*.evt
for /f %%I in (all.txt) do wmic /NODE:"%%I" nteventlog where "logfilename='system'" call backupeventlog "c:\system.evt"
for /f %%I in (all.txt) do wmic /NODE:"%%I" nteventlog where "logfilename='security'" call backupeventlog "c:\security.evt"
for /f %%I in (all.txt) do wmic /NODE:"%%I" nteventlog where "logfilename='application'" call backupeventlog "c:\application.evt"
for /f %%I in (all.txt) do robocopy \\%%I\c$ %targetdir%\%%I *.evt /z /njs /njh
for /f %%I in (all.txt) do del \\%%I\c$\*.evt

1 comment:

Saimonsais said...

I just discovered wmic for myself, and really like it. Have just 2 "problems" whit it, maybe you can just answer easyly. I would be really glad for your help.

- first, i wannt to export eventlog to CSV for further use. If I set /format:csv it works fine as long I do not set up 'messages' among GET value. If messages is there, CSV is broken, and unable to import for further use.
- secound: i cant filter ntevents by hour. I mean is it possible to run if for the "last 168" hours whitout giving the current time. Such way I could build up weekly cycles for meself, to exporting the events of a week ... (like psloglist has -d switch)

Are there walkarounds?