Backup Eventlog then save as text

[jamie_pattison]

I would like to backup/copy an event log then save the contents as text so i can input this data to a database.

Reading around it seems i need to know WMI to do this which i dont really know. Could anyone advise how i could do this or provide some links to get started?

Thanks in advance

 

[JohnH]

You can use EventLog Class (System.Diagnostics) to read event logs. This sample reads todays Application entries:

Dim log As New EventLog("Application")
For Each entry As EventLogEntry In log.Entries
    If entry.TimeGenerated.Date = Date.Now.Date Then
        Console.WriteLine("{0} {1} {2}", entry.TimeGenerated, entry.EntryType, entry.Message)
    End If
Next

To save a binary .evtx Event File format like can be done from Event Viewer app you can use WMI and the Win32_NTEventlogFile class to call the BackupEventlog method. See thread http://www.vbdotnetforums.com/articles-interest/13972-wmi-code-creator-1-0-a.html to get started with WMI.

 

[jamie_pattison]

Thanks. I dont seem to be getting the expected results. Heres my code:

Try
            Dim connection As New ConnectionOptions
            connection.Username = "Administrator"
            connection.Password = "password"
            connection.Authority = "ntlmdomain:My_Domain"

            Dim scope As New ManagementScope( _
                "\\Server\root\CIMV2", connection)
            scope.Connect()

            Dim classInstance As New ManagementObject(scope, _
                 New ManagementPath("Win32_NTEventlogFile.Name='C:\Windows\System32\Config\SecEvent.evt'"), _
                 Nothing)

            ' Obtain [in] parameters for the method
            Dim inParams As ManagementBaseObject = _
                classInstance.GetMethodParameters("Copy")

            ' Add the input parameters.

            ' Execute the method and obtain the return values.
            Dim outParams As ManagementBaseObject = _
                classInstance.InvokeMethod("Copy", inParams, Nothing)

            ' List outParams
            Console.WriteLine("Out parameters:")
            Console.WriteLine("ReturnValue: {0}", outParams("ReturnValue"))

            'Close()

        Catch err As ManagementException

            MessageBox.Show("An error occurred while trying to execute the WMI method: " & err.Message)

        Catch unauthorizedErr As System.UnauthorizedAccessException

            MessageBox.Show("Connection error (user name or password might be incorrect): " & unauthorizedErr.Message)
        End Try

Im running this against Windows Server 2003 with all updates. The end result is

Out Parameters:
ReturnValue:21

Ive searched around what 21 could be but no luck on that.

Where is it copying to (If it is).

Thanks

 

[JohnH]

ReturnValue:21

Ive searched around what 21 could be but no luck on that

Help answers this question: Copy Method of the Win32_NTEventlogFile Class (Windows)

21 A parameter specified is invalid.

You haven't specified the Filename parameter.

What you should do first is to read the documentation, then run the method in WMI Code Creator in against local machine. For the most part you only use the mouse at this stage, not the keyboard.
In Code Creator first select "Code Language" VB.Net.

1. select tab "Execute a method"
2. select the class "Win32_NTEventlogFile"
3. select the method "Copy" (or "BackupEventLog")
4. select the "FileName" input parameter and specify the target file path
5. select the "Name" instance

Now you can click "Execute Code" to perform the action. Now you also know how the method operates and how to handle input and output. You can now also try it against remote computers. The generated code you can copy and modify to include in your own application, though I never use that code, I generate easy to use VB classes for the WMI classes as explained in the other thread.

Where is it copying to (If it is).

While help page may be unclear about this, when you've tried the method in Code Creator this should be very clear to you.

 

[jamie_pattison]

I managed to get this working. The problem i have is when i have the log copied it opens up with an error:

"Unable to open event log file. The event log file is corrupted" in event viewer (i used event viewer for testing the file was ok)

This happens with any log file i copy. I added the file location path above which resolved the previous error so my code is pretty much the same. Although i think it may be something to do with the file being in use??

Any reason why this could be happening and how to avoid it?

Thanks

 

[JohnH]

I don't think so, since the class has no functionality to explicitly stop usage that indicates it would backup/copy at the point where called, and before the next entry was written. I have no problems doing a BackupEventlog/Copy of any log and open it on local machine, but haven't tested it with a remote machine.

 

[jamie_pattison]

I don't think so, since the class has no functionality to explicitly stop usage that indicates it would backup/copy at the point where called, and before the next entry was written. I have no problems doing a BackupEventlog/Copy of any log and open it on local machine, but haven't tested it with a remote machine.

Strange even when running this code on Windows Server 2003 (locally) it came back with the same error??

I tried this on another server and same error?