question

RajKumar-4574 avatar image
0 Votes"
RajKumar-4574 asked IanXue-MSFT answered

event export for all DCs

Hi ALL

I am using below script to get the event IDs from all dcs but not getting desired result. Please help to get get eveint Ids from all dcs in domain



Import-module Activedirectory

$dcs = Import-Csv C:\temp\allDcs.csv

$dcs | % {

$DCS = $_.name

try
{

get-winevent -FilterHashtable @{Logname='System';ID=5829,5830} -MaxEvents 1 -ComputerName $DCS |
Select MachineName,EventID,TimeWritten,message| Export-Csv 529.csv -NTI
}
Catch
{

Add-Content "$DCS $_ " -path c:\temp\UnreachableDCs.txt
}

  }
windows-server-powershell
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

I'm guessing that the data you export doesn't have the properties you expected? See if this works better:

 $DomainName = (Get-ADDomain).DNSRoot
 (Get-ADDomainController -Filter * -Server $DomainName).HostName |
     ForEach-Object{
         $DC = $_
         Try{
             Get-Winevent -FilterHashtable @{Logname='System';ID=5829,5830} -MaxEvents 1 -ComputerName $DC |
                 Select-Object MachineName,ID,TimeCreated,Message | 
                     Export-Csv 529.csv -NTI
         }
         Catch{
             $Err = $_ | Out-String
             Add-Content "$DC $Err " -path c:\temp\UnreachableDCs.txt
         }
     }

Note that this will only get the Domain Controllers in your domain and not the entire forest. If you have a multi-domain forest you can certainly get the list of domains in the forest and for each domain get the names of all the domain controllers in each domain.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered

Hi,

The EventLogRecord objects got by Get-WinEvent have no "EventID" and "TimeWritten" properties. You can select the properties "Id" and "TimeCreated" instead.
https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogrecord

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.