unable to export Windows event log using power shell

723 views Asked by At

We are trying to export specific event ID from the event log to a report. We found this template Powershell script from Microsoft and modified it. It ran without any errors but does not create the eventlog file.

function Export-OSCEvent
{
<#
    .SYNOPSIS
        The Export-OSCEvent command will export eventlog with specified event ID to a CSV file, 
        and then send it to administrators.

    .DESCRIPTION
        The Export-OSCEvent command will export eventlog with specified event ID to a CSV file, 
        and then send it to administrators.
        Only log created in last 24 hours, will be exported. 

    .PARAMETER Path
        Specifies the path to the CSV output file. The parameter is required.   
    .PARAMETER EventID
        Indicates which event to monitor or collect.    
    .PARAMETER SmtpServer
        Specifies the name or IP of the SMTP server that sends the e-mail message.
    .PARAMETER To
        Specifies the addresses to which the mail is sent. Enter names (optional) and the e-mail address, such as "Name
        <[email protected]>". This parameter is required.
    .PARAMETER From
        Specifies the address from which the mail is sent. Enter a name (optional) and e-mail address, such as "Name 
        <[email protected]>". This parameter is required.
    .PARAMETER Subject
        Specifies the subject of the e-mail message. This parameter is required.
    .PARAMETER Body
         Specifies the body (content) of the e-mail message.
    .EXAMPLE
        PS C:\> Export-OSCEvent -Path "C:\Eventlog.csv" -LogName "Application","Security","System" -EventID 4634 -SmtpServer "Ex01"`
                -From "[email protected]" -To "[email protected]" -Body "Daily Check"

        Description
        -----------
        This command collect event log with event id 4634, and export to "C:\Eventlog.csv".
        Then send it to "[email protected]" via smtp server "Ex01"

    .EXAMPLE
        PS C:\> Export-OSCEvent -Path "C:\Eventlog.csv" -LogName "Application","Security","System" -EventID 4634,4624 -SmtpServer "Ex01"`
                -Subject "Eventlog daily check" -From "[email protected]" `
                -To "[email protected]","[email protected]"

        Description
        -----------
        This command collect event log with event id 4634 or 4624, and export to "C:\Eventlog.csv".
        Then send it to David and administrator via smtp server "Ex01"
    .LINK
        Windows PowerShell Advanced Function
        http://technet.microsoft.com/en-us/library/dd315326.aspx
    .LINK
        Send-MailMessage
        http://technet.microsoft.com/en-us/library/hh849925
    .LINK
        Export-Csv
        http://technet.microsoft.com/library/hh849932.aspx
    .LINK
        Get-WinEvent
        http://technet.microsoft.com/en-us/library/hh849682.aspx    
#>
[CmdletBinding()]
param
(
    [Parameter(Mandatory=$True,Position=0)]
    [String]$Path,
    [Parameter(Mandatory=$True,Position=1)]
    [String[]]$LogName,
    [Parameter(Mandatory=$True,Position=2)]
    [String[]]$EventID,
    [Parameter(Mandatory=$False,Position=3)]
    [String]$SmtpServer,
    [Parameter(Mandatory=$False,Position=4)]
    [String[]]$To,
    [Parameter(Mandatory=$False,Position=5)]
    [String]$From,
    [Parameter(Mandatory=$False,Position=6)]
    [String]$Subject="Eventlog daily check",
    [Parameter(Mandatory=$False,Position=7)]
    [String]$Body="Eventlog daily check, detail report is attached."
)
process
{
    #check whether path is correct
    try
    {
        $TempPath=Split-Path $Path
        if (-not (Test-Path $TempPath))
        {
            New-Item -ItemType directory -Path $TempPath -ErrorAction Stop  |Out-Null
        }
    }
    catch
    {
        Write-Error -Message "Could not create path '$Path'. Please make sure you have enough permission and the format is correct."
        return
    }
    #export a certain eventlog with specified log name and event ID for last 24 hours. 
    Get-WinEvent -LogName $LogName -MaxEvents 1000 -EA SilentlyContinue | Where-Object {$_.id -in $EventID -and $_.Timecreated -gt (Get-date).AddHours(-24)} | Sort TimeCreated -Descending | Export-Csv $Path -NoTypeInformation

    Send-MailMessage -From $From -To $To -SmtpServer $SmtpServer -Subject $Subject -Body $Body -Attachments $Path
} 
}

Export-OSCEvent -Path "C:\Eventlog.csv" -LogName "Application","Security","System" -EventID 4634
0

There are 0 answers