Below is the script I have to pull all event and write them out to a directory. It works perfectly for the standard events but not forwarded. And honestly, that is all I want. Can anyone assist in correcting this so I can get forwarded events.
$eventpath = "\\ADEvent01\EventLogs\"
# 2) set naming style mm-dd-yyyy
$dte = get-date
$newdate = $dte.ToString("MM-dd-yyyy")
$newtime = $dte.tostring("HH")
# 3) get all eventlog names
$logs = get-childitem HKLM:\system\currentcontrolset\services\eventlog -name | sort-object -property name -descending
# 5) export all eventlogs to eventpath with naming convention
foreach ($log in $logs)
{
$log1=gwmi "Win32_NTEventLogFile WHERE LogFileName='$log'"
$log1.PSBase.Scope.Options.EnablePrivileges = $true
$filename = "$eventpath$newdate-$newtime-$log.evt"
$log1.BackupEventlog($filename)
write-host ("$log - backing up")
# start-sleep 60
}
# 6) Zip all logs that happened today
#write-host ("$eventpath$newdate.zip")
#dir $eventpath*.evt | add-Zip $eventpath$newdate-$newTime.zip
#write-host ("Sleeping - 120 sec.")
#start-sleep 120
# 8) Clear eventlogs
foreach ($log in $logs)
{
$el = new-object Diagnostics.Eventlog $log
$el.clear()
}
Thank a ton in advance for anyone who can help.
DeAnn