Summary

Have you ever needed to back up event logs for root cause analysis or auditing? Did you access each server and manually export the requested log file?

If yes, I hope you find this script handy.

The script

# Specify which Log File
$EventLogName = "Application"

# Path should exist on all servers
$path = "c:logs"

#Simple Server list
$servers = Get-Content C:logsservers.txt

# For loop to do the work
foreach ($server in $servers)

{
# This is the WMI call to select the application log from each server
$logFile = Get-WmiObject -EnableAllPrivileges -ComputerName $server Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $EventLogName}

# Creating a file name based on server, log and time
$exportFileName = $server + "_" + $EventLogName + "_" +(get-date -f yyyyMMdd) + ".evt"

# Perform the backup
$logFile.backupeventlog($path + "" + $exportFileName)

# Since WMI does the work on the remote machine you can't copy to file share.
# This is a workaround to move to files to a single location after the backup
Move-Item \$serverc$logs$exportFileName \SERVER1logsexport
}

What does it the script do?

This script will read a list of servers and backup the specified event log to a local folder on the target server. After the backup is complete it will move the backup file a network share, so all backed up files are stored in a single location.

I hope you find this useful the next time you need to backup event logs from multiple servers.