Automated Eventlog export - Windows 2008 & 2008 R2

It is common to receive requests for errors and exceptions from production servers by application development teams, providing this data on demand is less efficient due to the overhead of support procedures , hence the need to automate this . For environments where you have dedicated development team and do not require filtering between different application errors you can do the following

· Export the event log with a scheduled task

· Write the exported log to a remote share

· Time stamp the exported log

· Provide access to the share for the development team

When operation engineers think about scheduled tasks the first thing they think is the overhead of managing a account and changing passwords on that , since windows 2008 we have the capability of running scheduled tasks under network service which is great as it takes away the overhead of password management. One point to be noted is if you are running a process under network service that needs access on network resources they are accessed under the identity of machine account. You can export the event log by using the windows 2008 and higher by the command line utility wevtutil and date, time stamp the file using PowerShell cmdlet get-date . Assume you write to the remote share \\utilityserver\logdump and the machine account where you are exporting the logs via scheduled tasks has write access to the share.

On the utility server create shares and provide necessary permissions using the following

net share logdump=D:\eventlogdump /grant:<domain\machineaccount>$,change

icacls D:\eventlogdump /GRANT <domain\machineaccount>:(D,WDAC)

On the machine exporting logs save the following as logexport.ps1

$share="logdump"
$utilityserver="noname"
wevtutil epl application \\$utilityserver\$share\$(get-date -uformat "%Y_%m_%d_%H_%M_application_$(hostname)").evtx

Run the following to create a scheduled task on the machine

schtasks /create /TN log_export /SC MINUTE /MO 10 /TR "powershell -file c:\temp\logexport.ps1" /RU "networkservice"

Once the job kicks off you can see a file similar to 2011_01_05_14_46_application_web1.evtx every 10 minutes. If you want to deploy to number of machines copy the logexport.ps1 to the machine and use

schtasks /s <remotemachinename> /create /TN log_export /SC MINUTE /MO 10 /TR "powershell -file c:\temp\logexport.ps1" /RU "networkservice"

Alternatively if you do not want to retry the command all the time export the scheduled task as an xml file and re-import the xml file on any number of machines.

For shared hosting environments where you need segregation between application errors the best way is to log parse the eventlogs, filter it and insert it into a Database and build a UI that enforces role based access control for different applications. The application owners can access the UI to see the exceptions in production. This is how error logs are passed on to development teams in the shared hosting model of www.microsoft.com we will cover that in a different blog post.

In the next post we will look at a scenario where I had fun with Sandbox code solutions in SP2010.