Get-EventLog
Hi. I'm trying to use the Get-EventLog powershell command to retrieve specific events from the system log using the Remote Command feature and am having trouble with one specific part.
I am retrieving event 6008 from the System log of each computer. My command works to retrieve the information and to export the file for a computer to that computer or to a spot on the network, but I would like to export data from all computers in to one file if possible so that I don't have to review hundreds of individual files.
Here is the command I'm using right now:
Get-EventLog -Log "System" -After 08/18/2016 -Source "EventLog" | where {$_.eventID -eq 6008} | Export-Csv \\osad-ch-sa1\c$\Event6008.csv
Is there anything I can do to get this to work to dump all in to one file? I would like to select all, or at least a bunch of, computers and run them all at once so I understand that file locking could be an issue.
If not, is there some other way to accomplish this in PDQ? We have Inventory and Deploy Enterprise Mode.
Thanks for your help
Comments
Try the add-content cmdlet.
http://www.adminarsenal.com/powershell/Add-Content/
Thank you. I ended up accomplishing what I wanted by using two commands, one in PDQ Inventory and one directly in Powershell on the same server.
In PDQ, I included a variable $env:computername.csv so that each computer that the command was run against would generate a unique file on the server. This is the entire command:
Get-EventLog -Log "System" -After 08/18/2016 -Source "EventLog" | where {$_.eventID -eq 6008} | Export-Csv "\\servername\C$\downloads\eventreview\$env:computername.csv" -NoTypeInformation
Then, in Powershell, I used the add-content command to gather the information from all csv files in my specific directory and combine them in to one overall:
Add-Content -Path "C:\downloads\events6008.csv" -Value (Get-Content "c:\downloads\eventreview\*.csv")
The final result did require some manual cleanup to remove duplicate header row information, but other than that it worked great.
Great to hear! :)