PowerShell 将远程 PC 事件日志导出到本地 PC.
1. Open Powershell ISE with an account that has local admin access to remote PCs.
笔记: You also need to have the Sysinternals Tools installed and be able to call psloglist with a prior reference to its path pre-defined:
Set-Alias psloglist c:\windows\system32\psloglist.exe
2. Function calls for remote System Event logs;
Replace the REMOTE-PCNAME with the NetBIOS name of the PC you want to connect to and extract the logs from. 这 “start notepad” command should then open the log file on your PC to review. 还, you can change the last string or even delete it if you use another tool for logs. (举个例子 Cmtrace 或者 Notepad++)
function GetSysEventLogs
{
$currDate = get-date -format MMddyyyy
$getDayDuration = Read-Host "Please enter the number of days of logs to extract"
psloglist \\REMOTE-PCNAME -d $getDayDuration -s system > c:\logs\REMOTE-PCNAME-sysevtlogs-$currDate.txt
Write-Host "Event logs saved to c:\logs\REMOTE-PCNAME-sysevtlogs-$currDate.txt"
start notepad c:\logs\REMOTE-PCNAME-sysevtlogs-$currDate.txt
}3. Function calls for remote Application Event logs;
function GetAppEventLogs
{
$currDate = get-date -format MMddyyyy
$getDayDuration = Read-Host "Please enter the number of days of logs to extract"
psloglist \\REMOTE-PCNAME -d $getDayDuration -s application > c:\logs\REMOTE-PCNAME-appevtlogs-$currDate.txt
Write-Host "Event logs saved to c:\logs\REMOTE-PCNAME-appevtlogs-$currDate.txt"
start notepad c:\logs\REMOTE-PCNAME-appevtlogs-$currDate.txt
}4. Function calls for remote Security Event logs;
function GetSecEventLogs
{
$currDate = get-date -format MMddyyyy
$getDayDuration = Read-Host "Please enter the number of days of logs to extract"
psloglist \\REMOTE-PCNAME -d $getDayDuration -s security > c:\logs\REMOTE-PCNAME-secevtlogs-$currDate.txt
Write-Host "Event logs saved to c:\logs\REMOTE-PCNAME-secevtlogs-$currDate.txt"
start notepad c:\logs\REMOTE-PCNAME-secevtlogs-$currDate.txt
}Steps that this script do:
1) Prompt you for how many days of logs you want to extract out
2) Connect to the remote machine
3) Export the specific log to a *.TXT file
4) Copy the log back to your computer into c:\logs\
5) Open the file in Notepad
