1

So I'm trying to write a powershell script that will go through a folder full of .evtx files, send out each one via syslog, then append ".done" to the filename of the .evtx file after doing so.

The thing is, I'm not quite sure how to reference the current log file I am on within the Foreach-Object loop.

Hopefully the following code will explain my dillema.

# begin foreach loop
Get-ChildItem $evtxfolder -Filter *.evtx | `
Foreach-Object {
$LPARGS = ("-i:evt", "-o:syslog", "SELECT STRCAT(`' evt-Time: `', TO_STRING(TimeGenerated, `'dd/MM/yyyy, hh:mm:ss`')),EventID,SourceName,ComputerName,Message INTO $SERVER FROM $CURRENTOBJECT") #obviously, this won't work.
$LOGPARSER = "C:\Program Files (x86)\Logparser 2.2\logparser.exe"
$LP = Start-Process -FilePath $LOGPARSER -ArgumentList $LPARGS -Wait -Passthru -NoNewWindow
$LP.WaitForExit() # wait for logs to finish

If you look in $LPARGS, you'll see that I put $SERVER and $CURRENTOBJECT. Obviously, the way I have it now will not work, but obviously, that won't work. So basically, I'm trying to put the variable $SERVER (passed in as a parameter) into the arguments for logparser, and reference whatever current event log it is working on to put in the "FROM" statement so that it knows to work on one .evtx file at a time. What would be the proper way to do this?

An example of the INTO FROM statement:

..snippet..
SourceName,ComputerName,Message INTO @192.168.56.30 FROM 'C:\Eventlogs\20131125.evtx'"

Of course, 'C:\Eventlogs\20131125.evtx' would change as it goes through the contents of the directory.

Improve this question
2
  • Our powershell version is 2. Commented Nov 25, 2013 at 23:03
  • Which is the final ps1 ? Commented Jul 14, 2016 at 17:40

1 Answer 1

Reset to default
2

If $server is defined outside your script above it will be available inside your string for $LPARGS. As for the $CURRENTOBJECT, that would be $_. In this case, it will be a FileInfo object. It is likely you want the Name property e.g. $($_.Name).

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Alright, so I'm then I should change $SERVER to $($_.SERVER)? Within $LPARGS? That still leaves the question of what to do with $CURRENTOBJECT
$_ represents each of the files you've retrieved with Get-ChildItem $evtxfolder -Filter *.evtx and sent down the pipeline. All you need to do for $SERVER is set it before the script that iterates the evtx files e.g. $SERVER = 'servername'.
Perhaps you should write out an example of what you would like INTO ??? FROM ???? to be after expanding variables for one of the files.
Full path to the EVTX is easy - $($_.Fullname). I can't tell you what to use for $SERVER as I've never used LogParser but I can tell you that it won't be $($_.Server). There is no Server property on a FileInfo object.
Then all you need to do is reference the variable in the double quoted string "... ${SERVER} ...".
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.