Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
However, what we really want to do is dump the log the same way it would be dumped if you went into the event log menu, right-clicked on the event log, and selected 'save log file as'. Psloglist interprets records into a format that is not .evt-format. Is there a batchie way to dump event logs?
Also, in psloglist it is unclear how to specify which log you want to operate on. it says there is a switch to do this, 'eventlog' but it is unclear how to specify it, and nothing that seems logical, like specifying 'application' or 'event' seems to work. The help html which came with the program is also no help.
We can't just copy c:\winnt\system32\config\AppEvent.evt (or the sys or sec .evt's) because they are always marked in-use and can't be copied. for the same reason, can't clear them by renaming/reallocating them.
The other thing is that after dumping the log we want to clear it. if we could figure out the switch in psloglist that would specify which event, log, we might be able to use it for clearing event logs.
Clear event log:
There is probably an API call to save it, maybe see:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216089
Here is a part of a script to clear and backup eventlogs. Left out the error handling routines, you can add them if you want to.
; How to do it: ; 1 - Open specified eventlog (Application, Security, System) ; 2 - Clear (and Backup) eventlog ; 3 - Close eventlog ; Note: ; Make sure backup file does not exist already, otherwise DllCall will fail! #DefineFunction OpenEventLog(dllhandle,computername,sourcename) ; The OpenEventLog function opens a handle to an event log. ; Declare Function OpenEventLog Lib "advapi32.dll" Alias "OpenEventLog" ; (ByVal lpUNCServerName As String, ByVal lpSourceName As String) As Long eventloghandle = DllCall(dllhandle,LONG:"OpenEventLogA",lpstr:computername,lpstr:SourceName) Return(eventloghandle) #EndFunction #DefineFunction CloseEventLog(dllhandle,evthandle) ; The CloseEventLog function closes a read handle to the specified event log. ; Declare Function CloseEventLog Lib "advapi32.dll" Alias "CloseEventLog" ; (ByVal hEventLog As Long) As Long closeevt = DllCall(dllhandle,LONG:"CloseEventLog",long:evthandle) Return(closeevt) #EndFunction #DefineFunction ClearEventLog(dllhandle,evthandle,backup_filename) ; The ClearEventLog function clears the specified event log, and optionally saves the current copy of the logfile to a backup file. ; If the lpBackupFileName parameter is NULL, the current event logfile is not backed up. ; Declare Function ClearEventLog Lib "advapi32.dll" Alias "ClearEventLogA" ; (ByVal hEventLog As Long, ByVal lpBackupFileName As String) As Long If backup_filename == "" result = DllCall(dllhandle,LONG:"ClearEventLogA",long:evthandle,lpnull) Else result = DllCall(dllhandle,LONG:"ClearEventLogA",long:evthandle,lpstr:backup_filename) Endif Return(result) #EndFunction computername = ItemExtract(1,WinSysInfo(),@tab) dllname = StrCat(DirWindows(1),"advapi32.dll") dllhandle = DllLoad(dllname) sourcename = "Application" backup_filename = "C:\Backups\Application.evt" evthandle = OpenEventLog(dllhandle,computername,sourcename) ; Now check if backup file already exists. If it does, first delete/move the backup file backupresult = ClearEventLog(dllhandle,evthandle,backup_filename) closeevt = CloseEventLog(dllhandle,evthandle) DllFree(dllhandle) Exit
Locator = ObjectOpen("WbemScripting.SWbemLocator") ;can be run from a central location so this can be machine.domain.com computer = "" ;user = "username" ;password = "password" machine = ItemExtract(1,computer,".") if machine == "" then machine = Environment("COMPUTERNAME") log = "security" ;system, application, etc.. file = strCat(dirget(), "%machine%_%log%.txt") fhW = FileOpen(file, "WRITE") Service = Locator.ConnectServer(computer); can take these parameters as well user, password) Security = Service.Security_ Security.ImpersonationLevel = 3 Privs = Security.Privileges Privs.AddAsString("SeSecurityPrivilege") ;this is VERY important if you want to dump security logs! query = "Select * from Win32_NTLogEvent WHERE logfile='%log%'" events = Service.ExecQuery(query) hEnum = ObjectCollectionOpen(events) counter = 0 While @true event = ObjectCollectionNext(hEnum) if event == 0 then message("", "the end") break endif counter = counter + 1 source = event.sourceName type = event.eventType computer = event.computerName time = ItemExtract(1,event.timewritten,".") ;or timegenerated? eventid = event.eventcode user = event.user event_message = event.message category = event.categorystring Select type case 1 type = "Error" break case 2 type = "Warning" break case 3 type = "Information" break case 4 type = "Audit Success" break case 5 type = "Audit Failure" end select if category == "" then category = "None" if user == "" then user = "NA" ;format the time a little year = StrSub(time, 1, 4) month = StrSub(time, 5, 2) day = StrSub(time, 7, 2) hour = StrSub(time, 9, 2) minute = StrSub(time, 11, 2) second = StrSub(time, 13, 2) time = StrCat(year,":", month, ":", day, ":", hour, ":", minute,":", second) line = StrCat(category,", ",source, ", " , type, ", ", computer, ", ", time, ", ", eventid, ", ", user, ", ", event_message) line = StrReplace(line, @crlf, "") FileWrite(fhW,line) FileWrite(fhw,"") endwhile ;clean up objectCollectionClose(hEnum) objectClose(Security) objectClose(Service) objectClose(Locator) FileWrite(fhW, "Events Dumped:%counter%") FileClose(fhW) exit
Here's a link to a VBS script "Event Log Backup Solution...This script backs up and clears the events on remote machines, then moves the backed up EVT files back to the server that ran the script. End result is a daily folder containing all listed servers' event logs. Error checking, user notification of events, and event logging of errors and success are also included. A complete solution, for use in AD and NT domains."
http://cwashington.netreach.net/depo/view.asp?Index=690&ScriptType=vbscript
If you go to http://cwashington.netreach.net/main/default.asp?topic=news & put "eventlog" into the "QuickFIND" you'll get several other potentially interesting scripts.
Maybe they can be translated from VBS to winbatch or at least provide a different perspective/starting point.
Article ID: W15981
File Created: 2014:07:18:09:51:38
Last Updated: 2014:07:18:09:51:38