Script to collect all event logs off a remote Windows 7 / Server 2008 machine

Unfortunately I often have to work over slow network links. Now in my experience MMC snap-ins such as event viewer are terrible over slow links with many hangs and plentiful “not respondings”. I hate to waste a user’s time by remote controlling their machine to view event logs. Following my motto “yes you can do it with batch files” here’s a simple batch file I use to capture all the event logs for offline viewing. This works on Windows Server 2008 R2/Windows 7 machines, and expect it would work on Vista, but won’t work on XP machines. The batch file is based on a powerful command wevtutil which has the following command options:

Windows Events Command Line Utility.

Enables you to retrieve information about event logs and publishers, install
and uninstall event manifests, run queries, and export, archive, and clear logs.

Usage:

You can use either the short (for example, ep /uni) or long (for example,
enum-publishers /unicode) version of the command and option names. Commands,
options and option values are not case-sensitive.

Variables are noted in all upper-case.

wevtutil COMMAND [ARGUMENT [ARGUMENT] …] [/OPTION:VALUE [/OPTION:VALUE] …]

Commands:

el | enum-logs          List log names.
gl | get-log            Get log configuration information.
sl | set-log            Modify configuration of a log.
ep | enum-publishers    List event publishers.
gp | get-publisher      Get publisher configuration information.
im | install-manifest   Install event publishers and logs from manifest.
um | uninstall-manifest Uninstall event publishers and logs from manifest.
qe | query-events       Query events from a log or log file.
gli | get-log-info      Get log status information.
epl | export-log        Export a log.
al | archive-log        Archive an exported log.
cl | clear-log          Clear a log.

Common options:

/{r | remote}:VALUE
If specified, run the command on a remote computer. VALUE is the remote computer

name. Options /im and /um do not support remote operations.

/{u | username}:VALUE
Specify a different user to log on to the remote computer. VALUE is a user name
in the form domain\user or user. Only applicable when option /r is specified.

/{p | password}:VALUE
Password for the specified user. If not specified, or if VALUE is “*”, the user

will be prompted to enter a password. Only applicable when the /u option is
specified.

/{a | authentication}:[Default|Negotiate|Kerberos|NTLM]
Authentication type for connecting to remote computer. The default is Negotiate.

/{uni | unicode}:[true|false]
Display output in Unicode. If true, then output is in Unicode.

To learn more about a specific command, type the following:

wevtutil COMMAND /?

The script I’ve written will use the “el” (enumerate logs) command to enumerate all logs, then “epl” (export log) to extract each one:

image

Just copy the text below and save it as a .cmd file. Run it and type the remote computer name you want (or enter for the current PC). You must be able to remotely access the event logs for this to work. When you’re all done you’ll have a nice collection of event logs. Happy Event Viewing.

Script available here: http://tiange.com.au/GetEventLogs.zip

@echo off

REM GetEventLogs.cmd by Malcolm McCaffery
SETLOCAL ENABLEDELAYEDEXPANSION

SET /P remotePC=Please type remote computer name or blank for local computer:

IF “%remotePC%” EQU “” set remotePC=%computername%

REM change this to wherever you want to output the logs
SET OUTPUTDIR=”%UserProfile%\Desktop\Logs\!remotePC!”

IF NOT EXIST %OUTPUTDIR% MD %OUTPUTDIR%

pushd “%OUTPUTDIR%”

echo Get ALL Event Logs on System
for /F “delims=\” %%i IN (‘wevtutil el /r:%remotePC%’) DO (
echo Retreving Log %%i
for /F “tokens=1,2 delims=/” %%j IN (“%%i”) DO (
   IF “%%k” EQU “” (
    SET OUTPUTFILE=%computername%-%%j.evtx
   ) ELSE (
   SET OUTPUTFILE=%computername%-%%j-%%k.evtx
   )
)
wevtutil epl “%%i” “!OUTPUTFILE!” /ow:true /r:%remotePC%
)

REM cleanup by deleting any empty event files…
for /R %%i IN (*.evtx) DO (
  echo Processing %%i
  REM if file is 69,632 bytes or less then delete it – don’t want empty files
  IF %%~zi LEQ 69632 (
    echo empty event file…deleting…
    del “%%i” /q
  )
)

popd
echo.
echo Completed – events stored in %OUTPUTDIR%
pause

image

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Batch Files, Remote Support and tagged . Bookmark the permalink.

24 Responses to Script to collect all event logs off a remote Windows 7 / Server 2008 machine

  1. Pingback: Monitor all event logs centrally?

  2. Krish says:

    Hi ,
    Wondering by running GetEventLogs.cmd batch file. you did a great job with small script.
    I need a small favour from your side.
    I want to retrieve Event logs by wevtutil command for remote machine the command i used is wevtutil qe System /r:Servename /u:Domain\userid /p:Password
    If i run this command i am getting the error message as “Failed to open event query. Access is denied.”
    Can you please help me in resolving my problem.

    Thank you,
    Krish.

    • 1) account must be in local Administrators group on remote machine
      2) Remote Event Log Management exception should be enabled on remote machine if Windows firewall is on

      Have you checked these items?

  3. Shekhar says:

    Would be nice to get the “%remotePC% variable from a text file having a list of all the desktop/servers.

  4. I think you should be able to use a for loop.

    FOR /F %%i IN (listofPCs.txt) DO (
    set remotePC=%%i
    REM do stuff here
    )

  5. James says:

    Example: I have 10 servers and want to collect all logs in one place for physical backup.
    Am I correct in understanding that this batch file will not accomplish what I want? It appears to dump all logs on each server its local hard drive, and that then I would need another mechanism to collect all of the logs onto one system for burning to CD.
    I have been trying to have wevtutil epl export it to a mapped drive, but have had no success so far.

  6. Veronica says:

    THANK YOU! I used for my local computer and it has saved me hours of exporting all events channel by channel.

    Again, thanks

  7. tfhdc says:

    Thank you for this tip! I’m new to using wevtutil. When I attempt to run this script, I get the following noted below. I’m still playing around wevtutil, and can export only one particular log at a time manually from a command prompt so I would love to get your shared script working. I tried from Windows 2008 R2, Win7 and Win8.1 machine with no luck.

    Please type remote computer name or blank for local computer:{COMPUTERNAME}
    The filename, directory name, or volume label syntax is incorrect.
    The filename, directory name, or volume label syntax is incorrect.
    Get ALL Event Logs on System
    \ö was unexpected at this time.

    • tfhdc says:

      Got it working. The copy and paste was resulting in the “wrong” quotation marks being used in notepad prior to saving with *.cmd extension. Thanks for this great script!

  8. Nathan says:

    Hi Malcolm, I am getting an error in cmd when running the script:

    The System cannot find the path specified
    Get ALL Event Logs on System
    \ôÇØ was unexpected at this time

    An empty folder is placed in the location as below:

    C:\Users\Nathan.jones\Desktop\Log\ÔÇØNathan.jones\Desktop\LogÔÇØ

    Script section:

    REM change this to wherever you want to output the logs
    SET OUTPUTDIR=”Nathan.jones\Desktop\Log”

    IF NOT EXIST %OUTPUTDIR% MD %OUTPUTDIR%

    pushd “%OUTPUTDIR%”

    echo Get ALL Event Logs on System
    for /F “delims=\” %%i IN (‘wevtutil el /r:%remotePC% /u:USER /p:PASSWORD’) DO (
    echo Retreving Log %%i
    for /F “tokens=1,2 delims=/” %%j IN (“%%i”) DO (
    IF “%%k” EQU “” (
    SET OUTPUTFILE=%computername%-%%j.evtx
    ) ELSE (
    SET OUTPUTFILE=%computername%-%%j-%%k.evtx
    )
    )
    wevtutil epl “%%i” “!OUTPUTFILE!” /ow:true /r:%remotePC%
    )

    Any help would be great!

    • Edisson Garcia says:

      Hi Nathan, I get the same problem. In my case I have copied all the script and pasted it into a text file, but I don’t notice that the ” and ‘ characters were different to the intended ones. I have replaced all ” and ‘ manually into the txt file and the script works fine. I believe the problem is the conversion from web page characters to the txt file characters.

      Regards

      Edisson

  9. Adam Gilman says:

    Thanks for the script. It doesn’t completely work for me though. I queries the remote machine to get all the event logs, but fails on the export for each. Ex.

    Retreving Log System
    Failed to export log System. The system cannot find the path specified.

    I’m assuming the failure is coming from the wevtutil epl command. The output directory is created correctly. I have admin permissions to the remote computer.

    • RK says:

      I have the same issue. it tries to put in on the remote machine.
      when I Run the command manually
      wevtutil epl Security “C:\Security-test.evtx” /ow:true /r:CompName001
      it saves it to CompName001 C drive not the computer i am running the command From

  10. Matt Bailey says:

    I can only get this working locally. also shouldn’t the following lines use %remotePC% instead of %computername% ?

    SET OUTPUTFILE=%computername%-%%j.evtx
    ) ELSE (
    SET OUTPUTFILE=%computername%-%%j-%%k.evtx
    )

    I have noticed that the normal eventlog won’t let you export .evtx from a remote system, does wevtutil have the same limitation?

  11. sudeep gorhe says:

    hello all
    I am getting this error for local computer
    Please type remote computer name or blank for local computer:
    The filename, directory name, or volume label syntax is incorrect.
    The filename, directory name, or volume label syntax is incorrect.
    do I have to create any directories by myself?

    thanks in advance
    sudeep

  12. Rami says:

    Thank you Chentiangemalc for your work,
    The script worked for me after i changed the characters: (“, ‘, -)
    I was wondering how can we specify the events created in last 72 hours (3 days) ? I mean export only the events that have been logged in last 72 hours?

  13. Rami says:

    Thank you for your script
    I was wondering if we could export events in specific time , i.e: last 72 hours ?

  14. arshad says:

    Hi chentiangemalc & team,
    I need you all help to get usefull batch script .. i need batch file that should be exports event logs which means all logs Application, Security, Setup,System this 4 logs in evtx format and text format can you help me to get this .once i run the batch file all this windows logs should be like below format.

  15. arshad says:

    Hi chentiangemalc,
    thank you for your script , this script very helpfull to me, i need an small favor from you.
    same like i want this logs in .txt format . can you help me to get this. i tried with changing the extension, but that out put was not clear ..please help me to get this logs in txt format also.

  16. Jitendra Nevrekar says:

    Hi chentiangemalc,

    Pls share me script/batch for export IIS VD list from remote Servers 2008 & 2012

  17. muni sai kumar says:

    code is not executing for WINDOWS 2012.can anyone please help

    • I would use PowerShell for this, there are many examples online to get Windows Event logs, or if you can map to windows drive you could copy the files direct \\server01\c$\windows\system32\winevt\logs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s