ArchiveEventLog.ps1
|
<#PSScriptInfo .VERSION 1.0.0.2 .GUID 62a6a1ab-8583-4829-933e-109aabb03731 .AUTHOR johnny.tse .COMPANYNAME .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES .PRIVATEDATA #> <# .DESCRIPTION Archive Windows Eventlog ArchiveEventlog will move all the eventlog from original folder to destination folder if the filename started from 'Archive-' #> # Original script Param ( [string]$destinationDir = "$($env:windir)\System32\winevt\Archive" ) If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { # Re-launch the current script with the same arguments $arguments = "-ep bypass -File `"$PSCommandPath`"" foreach ($arg in $args) { $arguments += " `"$arg`"" } Start-Process powershell.exe -Verb RunAs -ArgumentList $arguments exit } # Create destination folder if not exist if (-not (Test-Path -Path $destinationDir)) { New-Item -Path $destinationDir -ItemType Directory | Out-Null } # Event log folder $sourceDir = "$($env:windir)\System32\winevt\Logs" # Collect event log file from Event log folder if the filename started with 'Archive' $filesToMove = Get-ChildItem -Path $sourceDir -Filter "Archive-*.evtx" foreach ($file in $filesToMove) { $targetPath = Join-Path -Path $destinationDir -ChildPath $file.Name $counter = 1 # Check if a duplicate exists in the destination while (Test-Path -Path $targetPath) { # Construct a new name: "FileName_1.evtx", "FileName_2.evtx", etc. $newName = "{0} ({1}){2}" -f $file.BaseName, $counter, $file.Extension $targetPath = Join-Path -Path $destinationDir -ChildPath $newName $counter++ } # Move the file to the final unique destination path Move-Item -Path $file.FullName -Destination $targetPath } |