Event Log Export-Csv

This topic contains 3 replies, has 4 voices, and was last updated by Profile photo of Mike Carter Mike Carter 6 months, 4 weeks ago.

  • Author
  • #29698
    Profile photo of Ernesto Lombardi
    Ernesto Lombardi
    Invoke-Command -ComputerName Win8 -ScriptBlock {Get-EventLog -List | Export-Csv \\AD\Share\Test.csv}

    Access to the path '\\AD\Share\Test.csv' is denied.
    + CategoryInfo : OpenError: (:) [Export-Csv], UnauthorizedAccessException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
    + PSComputerName : Win8

    I have configured Everyone Full access

    I would like the remote machine to do the work of exporting documents to a share.
    Possibly in the future sorting and organizing logs.

    invoke-command {get-eventlog -LogName System} -ComputerName win8 | Export-Csv C:\Names.csv

    This command works fine

  • #29707
    Profile photo of Flynn Bundy
    Flynn Bundy

    Hi there!

    So even though you have configured this to allow full access there is still going to be an issue with that remote machine delegating the credentials from your invoke command to connect to a share. This will work if you setup CredSSP (Enable-WSmanCredSSP) and specify the Client to be the server that you invoking the command from, You will also need to specify the delegate server who will receive these creds (or * for a lab environment).

    After that you can invoke a command over to your remote machine and do:

    Invoke-Command remotemachine {Enable-WSMANCredSSP -role Server} 

    This will enable the remote machine to receive Creds from your Client server who will be sending them. Once that is setup you can run your command again, however this time it will need to look something like this.

     Invoke-Command -ComputerName Win8 -ScriptBlock {Get-EventLog -List | Export-Csv \\AD\Share\Test.csv} -Authentication CredSSP -Credential (Get-Credential) 

    What may be an easier solution is simply creating a PSDrive like so.

     New-PSDrive -Name W -PSProvider FileSystem -Root \\machine\share

    that way you can just do a Copy-Item to W:

    Let us know how you go!

  • #29720
    Profile photo of Naeem Mohammad
    Naeem Mohammad

    Dont forget you can still use "Net Use", this works well with powershell
    net use W: \\AD\Share

    Invoke-Command -ComputerName Win8 -ScriptBlock {net use W: \\AD\Share} -Credentials Get-Credentials
    Invoke-Command -ComputerName Win8 -ScriptBlock {Get-EventLog -List | Export-Csv W:\Test.csv} -Credentials Get-Credentials

    I am not really good with scripting but i am sure you can run both commands in one script block.

  • #37121
    Profile photo of Mike Carter
    Mike Carter

    Please note, For accessing event logs, Windows PowerShell comes with Get-EventLog cmdlet:

    Parameter Set: LogName
    Get-EventLog [-LogName] [[-InstanceId] ]
    [-After ] [-AsBaseObject] [-Before ]
    [-ComputerName ] [-EntryType ]
    [-Index ] [-Message ] [-Newest ]
    [-Source ] [-UserName ] []

    I reccommend you to automate the Powershell Export Log process rather than getting in the hassle of coding n scripting. http://eventlogxp.com/blog/exporting-event-logs-with-windows-powershell/ . It might help

You must be logged in to reply to this topic.