PowerShell Import Eventlogs

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 5 years, 8 months ago.

  • Author
    Posts
  • #5724

    by GuyThomas at 2013-03-26 12:31:59

    The situation:
    I have used Export-Clixml to successfully export messages from the security log.
    I then used Clear-Eventlog to purge the log.
    I can observe the messages using Import-Clixml.

    Question: Can get those messages back into the security log using PowerShell?
    Supplementary Question: If I choose a different export method / format would that make it possible to import the messages back into the actual Security log.

    [Fortunately, I am using a testbed, so failure is not a big problem.]

    by DexterPOSH at 2013-03-26 14:33:04

    Hi,

    Yes I was able to do this. You can use Import-Clixml to get the objects then pipe it to Write-Eventlog cmdlet to perform this..I have used "windows powershell" logname in my example here

    Import-Clixml C:\TEMP\eventlog.xml | foreach -Process {
    >> Write-EventLog -LogName "Windows PowerShell" -Source $_.source -EntryType $_.entrytype -Category $_.categorynumber -EventId $_.eventid -Message $_.message -Verbose }
    >>

    try this and let us know if it worked for you.

    The only gotcha here is for write-cmdlet's parameter -category you need to use $_.categorynumber instead of $-.category

    by GuyThomas at 2013-03-27 01:23:21

    Brilliant solution. I was aware of Write-EventLog, but had not made the connection to pipe the saved file into that cmdlet.

    It worked just as you explained for the PowerShell log, but not for the System or Security logs. Do I need to adjust the properties to get those to work?

    by DexterPOSH at 2013-03-27 12:18:25

    Hi Thomas,

    For PowerShell cmdlet Write-Eventlog to write application to System Eventlog you should have permission to write on it.
    Check the following Registry Entry using Regedit (or use PowerShell to do this)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

    Right click on this entry and select Permissions and see if the User account you are using here to write to eventlog is there and has the permission to do so, if not add it and then try.

    Surprisingly, Even the administrators don't have write access to the security one. I will give it a try too.
    Please let us know if this works for you.

    Regards

    by GuyThomas at 2013-03-28 02:16:57

    Dear Dexter

    Thanks permissions are OK. Appreciate the registry key and the reminder to manage with PowerShell

You must be logged in to reply to this topic.