Export Windows event log and send report to IT administrators

This script can be used for exporting specified Windows event log to CSV file. Then send email to specified IT administrators with this attachment.

ExportEvent.zip
 
 
 
 
 
4 Star
(12)
21,601 times
Add to favorites
Operating System
11/25/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • How do I run this script and command line through Windows Scheduler
    1 Posts | Last post October 04, 2018
    • I've got this to run fine and can export events from a remote server a long as I put the 
      -ComputerName switch in the Get-WinEvent line of the powershell script.  I can not add it aas a parameter and reference it in the Export-OSCEvent command.
      I also adjusted the script to accept credentials for my Office365 email system, which lines I borrowed from another technet download script.
      Now I would like to be able to run the script like I do manually in the Azure AD Module for Powershell and put the two powershell commands into the Windows Scheduler as I have done:
      
      PS C:\Windows>. .\exportEvents.ps1
      PS C:\Windows>Export-OSCEvent -Path "C:\Eventlog.csv" -LogName "Application","Security","System" -EventID 7001,7034 -SmtpServer "smtp.office365.com" -To "me","admin01" -From "DoNotReply@..." -Subject "Eventlog daily check - RemoteServer 7001, 7034, 7036"
      
      Thanks
  • I am getting an error when I run the function.
    2 Posts | Last post March 22, 2017
    • Hi, 
      
      I am getting following error while running the function:
      
      PS C:\Users\dpushkarna> Export-OSCEvent -Path "C:\Eventlog.csv" -SmtpServer "smtpgate.wiley.com" -Subject "Eventlog dail
      y check" -From "dpushkarna@wiley.com" –To "dpushkarna@wiley.com" -LogName "TIS_Log" -EventID "0"
      Export-Csv : The process cannot access the file 'C:\Eventlog.csv' because it is being used by another process.
      At C:\Users\dpushkarna\ExportEvent.ps1:114 char:240
      + ... eInformation | Export-Csv $Path -NoTypeInformation
      +                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
          + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
      
      Although the Get-WinEvent command is working fine separately
      
      Get-WinEvent -LogName $LogName -MaxEvents 1000 -EA SilentlyContinue | Where-Object {$_.LevelDisplayName -eq "Error" -and $_.Timecreated -gt (Get-date).AddHours(-200)} | Sort TimeCreated -Descending | Export-Csv $Path -NoTypeInformation
      
      Please guide.
      
      Thanks
      Deepak
    • I found the mistake I was doing.. I added Export-Csv $Path -NoTypeInformation
      twice in my script, which was causing this issue.
      
      Although, with the default script I am not able to get Messages or Alert Message in my CSV file:
      2017-03-17 03:46:45,250 [4] ERROR Source App: efSimpleAuto.exe, Message: ePortal: ePortal LumiSoft.Net.IMAP.Client.IMAP_ClientException: 00001 NO LOGIN failed.
      
      Please help.
      
      Thanks in advance.
      
      Regards.
      Deepak
  • Export file is not csv
    1 Posts | Last post March 22, 2017
    • Hello,
      
      I don't understand i cant get a real csv file.
      My file is like this:
      "Message","Id","Version","Qualifiers","Level","Task","Opcode","Keywords","RecordId","ProviderName","ProviderId","LogName","ProcessId","ThreadId","MachineName","UserId","TimeCreated","ActivityId","RelatedActivityId","ContainerLog","MatchedQueryIds","Bookmark","LevelDisplayName","OpcodeDisplayName","TaskDisplayName","KeywordsDisplayNames","Properties"
      "Une tentative d?acc?s ? un objet a ?t? effectu?e.
      
      Sujet?:
      	ID de s?curit??:		S-1-5-21-2784581794-1939148262-3266039262-1319
      	Nom du compte?:		goe1
      	Domaine du compte?:		GRPMETALIS
      	ID d?ouverture de session?:		0xD2CB51A
      
      Objet?:
      	Serveur de l?objet?:		Security
      	Type d?objet?:		File
      	Nom de l?objet?:		E:\tcenter\ETUDES PROCESS\ETUDES OUTILS\16\12796SCHNEIDER\DXF\12796-2000.dxf
      	ID du handle?:		0x4d44
      	Attributs de ressource?:	S:AI
      
      Informations sur le processus?:
      	ID du processus?:		0x4
      	Nom du processus?:		
      
      Informations sur la demande d?acc?s?:
      	Acc?s?:		Lecture donn?es (ou liste de r?pertoire)
      				
      	Masque d?acc?s?:		0x1","4663","1",,"0","12800","0","-9214364837600034816","40246098","Microsoft-Windows-Security-Auditing","54849625-5478-4994-a5ba-3e3b0328c30d","Security","764","772","SRVCT.grpmetalis.priv",,"21/03/2017 19:49:20",,,"security","System.UInt32[]","System.Diagnostics.Eventing.Reader.EventBookmark","Information","Informations","Syst?me de fichiers","System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]","System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]"
      
      Somebody know why.
      I'm on 2012 R2
      
      Thanks in advance
      
  • it doesn't work
    6 Posts | Last post November 23, 2016
    • hi! good morning. i have changed my script to my data, but it doesn't work. i run the script like this:  C:\Users\administrador\Desktop> .\ExportEvent.ps1 but it seemm that it all ok but i don't receive any mail and it doesn't create the csv file. where i change parametres like  "Path"?
      thanks
    • when i can get help, i received this message: PS C:\Users\administrador\Desktop> Get-Help Export-OSCEvent -Full
      Get-Help : Cannot find Help for topic "Export-OSCEvent".
      At line:1 char:9
      + Get-Help <<<<  Export-OSCEvent -Full
          + CategoryInfo          : ResourceUnavailable: (:) [Get-Help], HelpNotFoun
         dException
          + FullyQualifiedErrorId : HelpNotFound,Microsoft.PowerShell.Commands.GetHe
         lpCommand
    • Good question. Maybe there is no help for this script.
    • But it looks like it's telling you it cannot find the standard PowerShell help. Interesting - not sure about that one.
    • Ok so from the tutorial I noticed a few things missing. 
      
      1.) We need to import this as a module or add the function every time we run it. 
      
      
      2.) This has to be ran as an administrator to access c:\eventlog.csv
      
      I will be working on improving this script.
      
      
    • Hi,
      
      The help content exists. Please run ". ./ExportEvent.ps1" in your powershell console, do not forget the first period in the command. Then run "Get-help Export-OSCEvent", you will see the help of this command.
  • Is the Script broken?
    3 Posts | Last post November 23, 2016
    • So far I have been able to get it to run by importing the script as a module each time, but when adding the switches it seems not be able to run due to line 113.
      
      Get-WinEvent -FilterXPath "*[System[($EventIDRequirement)  and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]"
      
      That portion seems to be wrong. No matter what eventID I use it fails. Here's an example of the failure.
      
      Get-WinEvent : The data is invalid
      At C:\temp\exportevent\exportevent.ps1:113 char:3
      +         Get-WinEvent -FilterXPath "*[System[($EventIDRequirement)  and TimeCreated[tim ...
      +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogInvalidDataException
          + FullyQualifiedErrorId : The data is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand
      
      But I will say it can definitely see the event log, because here is another event ID I tried.
      
      Get-WinEvent : No events were found that match the specified selection criteria.
      At C:\temp\exportevent\exportevent.ps1:113 char:3
      +         Get-WinEvent -FilterXPath "*[System[($EventIDRequirement)  and TimeCreated[tim ...
      +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
          + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
      
      So it's something with how the filters are applied or how the variable $EventIDRequirement is defined.
    • I found the issue! Took me a better part of 4 hours, but I got it.
      
      The original script is missing a switch. Below is the original on line 113.
      Get-WinEvent -FilterXPath "*[System[($EventIDRequirement)  and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]" | Export-Csv $Path -NoTypeInformation
      
      This is what it should be.
      
      Get-WinEvent -LogName $Logname -FilterXPath "*[System[($EventIDRequirement)  and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]" | Export-Csv $Path -NoTypeInformation
      
      I added another Parameter at the beginning for the user to enter the LogName to search. Something like this.
      
      [Parameter(Mandatory=$true,Position=1)]
      [String]$Logname,
      
      Just add it in to the already built parameters and adjust the numbering forward. Still haven't been able to streamline how to run it without import-module from the root of the script, but at least it's running now.
    • Hi RobertMLee,
      
      Since the query pattern in -FilterXPath is invalid in original script, we change the solution to use the linq. Please download the latest version in attachment. And thank you for your advice, in new script we add the -LogName parameter to identify the target of the log to search.
  • Como enviar al correo el contenido del evento 4740
    1 Posts | Last post November 24, 2014
    • Cordial saludo,
      
      El objetivo es que inmediatamente se genere un evento de bloqueo de una cuenta, me envie al correo el nombre del usuario que se bloqueo.
      
      
      gracias