{"id":392408,"date":"2024-12-16T09:43:09","date_gmt":"2024-12-16T09:43:09","guid":{"rendered":"https:\/\/www.ninjaone.com\/?post_type=script_hub&p=392408"},"modified":"2024-12-16T09:43:09","modified_gmt":"2024-12-16T09:43:09","slug":"sauvegarde-du-journal-des-evenements-powershell","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/fr\/script-hub\/sauvegarde-du-journal-des-evenements-powershell\/","title":{"rendered":"Script PowerShell pour la sauvegarde du journal des \u00e9v\u00e9nements\u00a0: guide complet pour les professionnels de l’informatique\u00a0"},"content":{"rendered":"

Introduction<\/h2>\n

Dans le domaine de la gestion informatique, la conservation du journal des \u00e9v\u00e9nements du syst\u00e8me pr\u00e9cis est essentielle pour le d\u00e9pannage, la conformit\u00e9 et la s\u00e9curit\u00e9. Cependant, la gestion manuelle de ces journaux peut prendre beaucoup de temps, en particulier dans les grands environnements. Pour y rem\u00e9dier, l’automatisation de la sauvegarde des journaux d’\u00e9v\u00e9nements \u00e0 l’aide de PowerShell<\/a><\/strong> est une solution pratique et efficace. Ce guide pr\u00e9sente un script PowerShell efficace con\u00e7u pour exporter et compresser les journaux d’\u00e9v\u00e9nements, offrant ainsi une approche rationalis\u00e9e de la gestion des journaux d’\u00e9v\u00e9nements.<\/p>\n

Contexte<\/h2>\n

Les journaux d’\u00e9v\u00e9nements sont essentiels pour comprendre l’activit\u00e9 du syst\u00e8me et diagnostiquer les probl\u00e8mes. Ces journaux enregistrent des informations telles que les erreurs syst\u00e8me, les failles de s\u00e9curit\u00e9 et les \u00e9v\u00e9nements li\u00e9s aux applications, ce qui les rend inestimables pour les administrateurs syst\u00e8me et les fournisseurs de services g\u00e9r\u00e9s (MSP)<\/a>. Le script fourni automatise le processus de sauvegarde, garantissant que les journaux sont export\u00e9s, compress\u00e9s et stock\u00e9s en toute s\u00e9curit\u00e9 sans n\u00e9cessiter d’intervention manuelle.<\/p>\n

Ce script est particuli\u00e8rement utile pour les environnements soumis \u00e0 des exigences r\u00e9glementaires strictes, telles que la HIPAA ou la RGPD<\/a>, o\u00f9 le maintien de pistes d’audit d\u00e9taill\u00e9es est obligatoire.<\/p>\n

Le script\u00a0:<\/h2>\n
#Requires -Version 5.1\r\n\r\n<#\r\n.SYNOPSIS\r\n    Exports the specified event logs to a specified location in a compressed zip file.\r\n.DESCRIPTION\r\n    Exports the specified event logs to a specified location in a compressed zip file.\r\n    The event logs can be exported from a specific date range.\r\n\r\n    By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n\r\nPARAMETER: -EventLogs \"System,Security\" -BackupDestination \"C:\\Temp\\EventLogs\\\"\r\n    Exports the specified event logs to a specified location in a compressed zip file.\r\n.EXAMPLE\r\n    -EventLogs \"System,Security\" -BackupDestination \"C:\\Temp\\EventLogs\\\"\r\n    ## EXAMPLE OUTPUT WITH EventLogs ##\r\n    [Info] Today is 2023-04-17\r\n    [Info] EventLogs are System,Security\r\n    [Info] Backup Destination is C:\\Temp\\EventLogs\\\r\n    [Info] Start Date is null\r\n    [Info] End Date is null\r\n    [Info] Exporting Event Logs...\r\n    [Info] Exported Event Logs to C:\\Temp\\EventLogs\\System.evtx\r\n    [Info] Exported Event Logs to C:\\Temp\\EventLogs\\Security.evtx\r\n    [Info] Successfully exported Event Logs!\r\n    [Info] Compressing Event Logs...\r\n    [Info] Compressed Event Logs to C:\\Temp\\EventLogs\\Backup-System-Security-2023-04-17.zip\r\n    [Info] Successfully compressed Event Logs!\r\n    [Info] Removing Temporary Event Logs...\r\n    [Info] Removed Temporary Event Logs!\r\n\r\nPARAMETER: -EventLogs \"System,Security\" -BackupDestination \"C:\\Temp\\EventLogs\\\" -StartDate \"2023-04-15\" -EndDate \"2023-04-15\"\r\n    Exports the specified event logs to a specified location in a compressed zip file.\r\n    The event logs can be exported from a specific date range.\r\n.EXAMPLE\r\n    -EventLogs \"System,Security\" -BackupDestination \"C:\\Temp\\EventLogs\\\" -StartDate \"2023-04-15\" -EndDate \"2023-04-15\"\r\n    ## EXAMPLE OUTPUT WITH StartDate and EndDate ##\r\n    [Info] Today is 2023-04-17\r\n    [Info] EventLogs are System,Security\r\n    [Info] Backup Destination is C:\\Temp\\EventLogs\\\r\n    [Info] Start Date is 2023-04-15\r\n    [Info] End Date is 2023-04-16\r\n    [Info] Exporting Event Logs...\r\n    [Info] Exported Event Logs to C:\\Temp\\EventLogs\\System.evtx\r\n    [Info] Exported Event Logs to C:\\Temp\\EventLogs\\Security.evtx\r\n    [Info] Successfully exported Event Logs!\r\n    [Info] Compressing Event Logs...\r\n    [Info] Compressed Event Logs to C:\\Temp\\EventLogs\\Backup-System-Security-2023-04-17.zip\r\n    [Info] Successfully compressed Event Logs!\r\n    [Info] Removing Temporary Event Logs...\r\n    [Info] Removed Temporary Event Logs!\r\n.NOTES\r\n    Minimum OS Architecture Supported: Windows 10, Windows Server 2016\r\n    Release Notes: Initial Release\r\n#>\r\n\r\n[CmdletBinding()]\r\nparam (\r\n    [String]$EventLogs,\r\n    [String]$BackupDestination,\r\n    [DateTime]$StartDate,\r\n    [DateTime]$EndDate\r\n)\r\n\r\nbegin {\r\n    function Test-IsElevated {\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n        $p = New-Object System.Security.Principal.WindowsPrincipal($id)\r\n        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)\r\n    }\r\n}\r\nprocess {\r\n    if (-not (Test-IsElevated)) {\r\n        Write-Host \"[Error] Access Denied. Please run with Administrator privileges.\"\r\n        exit 1\r\n    }\r\n    if ($env:eventLogs -and $env:eventLogs -notlike \"null\") {\r\n        $EventLogs = $env:eventLogs\r\n    }\r\n    \r\n    $EventLogNames = $EventLogs -split \",\" | ForEach-Object { $_.Trim() }\r\n    if ($env:backupDestination -and $env:backupDestination -notlike \"null\") {\r\n        $BackupDestination = $env:backupDestination\r\n    }\r\n    if ($env:startDate -and $env:startDate -notlike \"null\") {\r\n        $StartDate = $env:startDate\r\n    }\r\n    if ($env:endDate -and $env:endDate -notlike \"null\") {\r\n        $EndDate = $env:endDate\r\n    }\r\n\r\n    # Validate StartDate and EndDate\r\n    if ($StartDate) {\r\n        try {\r\n            $StartDate = Get-Date -Date $StartDate -ErrorAction Stop\r\n        }\r\n        catch {\r\n            Write-Host \"[Error] The specified start date is not a valid date.\"\r\n            exit 1\r\n        }\r\n    }\r\n    if ($EndDate) {\r\n        try {\r\n            $EndDate = Get-Date -Date $EndDate -ErrorAction Stop\r\n        }\r\n        catch {\r\n            Write-Host \"[Error] The specified end date is not a valid date.\"\r\n            exit 1\r\n        }\r\n    }\r\n    # Validate BackupDestination is a valid path to a folder\r\n    if ($(Test-Path -Path $BackupDestination -PathType Container -ErrorAction SilentlyContinue)) {\r\n        $BackupDestination = Get-Item -Path $BackupDestination\r\n    }\r\n    else {\r\n        try {\r\n            $BackupDestination = New-Item -Path $BackupDestination -ItemType Directory -ErrorAction Stop\r\n        }\r\n        catch {\r\n            Write-Host \"[Error] The specified backup destination is not a valid path to a folder.\"\r\n            exit 1\r\n        }\r\n    }\r\n\r\n    Write-Host \"[Info] Today is $(Get-Date -Format yyyy-MM-dd-HH-mm)\"\r\n\r\n    # Validate EventLogs are valid event logs\r\n    if (\r\n        $(\r\n            wevtutil.exe el | ForEach-Object {\r\n                if ($EventLogNames -and $($EventLogNames -contains $_ -or $EventLogNames -like $_)) { $_ }\r\n            }\r\n        ).Count -eq 0\r\n    ) {\r\n        Write-Host \"[Error] No Event Logs matching: $EventLogNames\"\r\n    }\r\n\r\n    Write-Host \"[Info] EventLogs are $EventLogNames\"\r\n    if ($EventLogNames -and $EventLogNames.Count -gt 0) {\r\n        Write-Host \"[Info] Backup Destination is $BackupDestination\"\r\n\r\n        # If the start date is specified, check if it's a valid date\r\n        if ($StartDate) {\r\n            try {\r\n                $StartDate = $(Get-Date -Date $StartDate).ToUniversalTime()\r\n            }\r\n            catch {\r\n                Write-Host \"[Error] The specified start date is not a valid date.\"\r\n                exit 1\r\n            }\r\n            Write-Host \"[Info] Start Date is $(Get-Date -Date $StartDate -Format yyyy-MM-dd-HH-mm)\"\r\n        }\r\n        else {\r\n            Write-Host \"[Info] Start Date is null\"\r\n        }\r\n        if ($EndDate) {\r\n            try {\r\n                $EndDate = $(Get-Date -Date $EndDate).ToUniversalTime()\r\n            }\r\n            catch {\r\n                Write-Host \"[Error] The specified end date is not a valid date.\"\r\n                exit 1\r\n            }\r\n            Write-Host \"[Info] End Date is $(Get-Date -Date $EndDate -Format yyyy-MM-dd-HH-mm)\"\r\n        }\r\n        else {\r\n            Write-Host \"[Info] End Date is null\"\r\n        }\r\n\r\n        # Check if the start date after the end date\r\n        if ($StartDate -and $EndDate -and $StartDate -gt $EndDate) {\r\n            # Flip the dates if the start date is after the end date\r\n            $OldEndDate = $EndDate\r\n            $OldStartDate = $StartDate\r\n            $EndDate = $OldStartDate\r\n            $StartDate = $OldEndDate\r\n            Write-Host \"[Info] Start Date is after the end date. Flipping dates.\"\r\n        }\r\n\r\n        Write-Host \"[Info] Exporting Event Logs...\"\r\n        foreach ($EventLog in $EventLogNames) {\r\n            $EventLogPath = $(Join-Path -Path $BackupDestination -ChildPath \"$EventLog.evtx\")\r\n            try {\r\n                if ($StartDate -and $EndDate) {\r\n                    wevtutil.exe epl \"$EventLog\" \"$EventLogPath\" \/ow:true \/query:\"*[System[TimeCreated[@SystemTime>='$(Get-Date -Date $StartDate -UFormat \"%Y-%m-%dT%H:%M:%S\")' and @SystemTime<='$(Get-Date -Date $EndDate -UFormat \"%Y-%m-%dT%H:%M:%S\")']]]\" 2>$null\r\n                }\r\n                elseif ($StartDate) {\r\n                    wevtutil.exe epl \"$EventLog\" \"$EventLogPath\" \/ow:true \/query:\"*[System[TimeCreated[@SystemTime>='$(Get-Date -Date $StartDate -UFormat \"%Y-%m-%dT%H:%M:%S\")']]]\" 2>$null\r\n                }\r\n                elseif ($EndDate) {\r\n                    wevtutil.exe epl \"$EventLog\" \"$EventLogPath\" \/ow:true \/query:\"*[System[TimeCreated[@SystemTime<='$(Get-Date -Date $EndDate -UFormat \"%Y-%m-%dT%H:%M:%S\")']]]\" 2>$null\r\n                }\r\n                else {\r\n                    wevtutil.exe epl \"$EventLog\" \"$EventLogPath\" \/ow:true \/query:\"*[System[TimeCreated[@SystemTime>='1970-01-01T00:00:00']]]\" 2>$null\r\n                }\r\n                if ($(Test-Path -Path $EventLogPath -ErrorAction SilentlyContinue)) {\r\n                    # Get the number of events in the log\r\n                    $EventCount = $(Get-WinEvent -Path $EventLogPath -ErrorAction SilentlyContinue).Count\r\n                    if ($EventCount -and $EventCount -gt 0) {\r\n                        Write-Host \"[Info] Found $EventCount events from $EventLog\"\r\n                    }\r\n                    else {\r\n                        Write-Host \"[Warn] No events found in $EventLog\"\r\n                        continue\r\n                    }\r\n                    Write-Host \"[Info] Exported Event Logs to $EventLogPath\"\r\n                }\r\n                else {\r\n                    throw\r\n                }\r\n            }\r\n            catch {\r\n                Write-Host \"[Error] Failed to export event logs $EventLog\"\r\n                continue\r\n            }\r\n        }\r\n\r\n        Write-Host \"[Info] Compressing Event Logs...\"\r\n\r\n        # Get the event log paths that where created\r\n        $JoinedPaths = foreach ($EventLog in $EventLogNames) {\r\n            # Join the Backup Destination and the Event Log Name\r\n            $JoinedPath = Join-Path -Path $BackupDestination -ChildPath \"$EventLog.evtx\" -ErrorAction SilentlyContinue\r\n            if ($(Test-Path -Path $JoinedPath -ErrorAction SilentlyContinue)) {\r\n                # Get the saved event log path\r\n                Get-Item -Path $JoinedPath -ErrorAction SilentlyContinue\r\n            }\r\n        }\r\n        $JoinedPaths = $JoinedPaths | Where-Object { $(Test-Path -Path $_ -ErrorAction SilentlyContinue) }\r\n\r\n        try {\r\n            # Create a destination path to save the compressed file to\r\n            # <Folder>Backup-<EventLogName-EventLogName>-<Date>.zip\r\n            $Destination = Join-Path -Path $($BackupDestination) -ChildPath $(\r\n                @(\r\n                    \"Backup-\",\r\n                    $($EventLogNames -join '-'),\r\n                    \"-\",\r\n                    $(Get-Date -Format yyyy-MM-dd-HH-mm),\r\n                    \".zip\"\r\n                ) -join ''\r\n            )\r\n\r\n            $CompressArchiveSplat = @{\r\n                Path            = $JoinedPaths\r\n                DestinationPath = $Destination\r\n                Update          = $true\r\n            }\r\n\r\n            # # If the destination path already exists, update the archive instead of creating a new one\r\n            # if ($(Test-Path -Path $Destination -ErrorAction SilentlyContinue)) {\r\n            #     $CompressArchiveSplat.Add(\"Update\", $true)\r\n            # }\r\n\r\n            # Compress the Event Logs\r\n            $CompressError = $true\r\n            $ErrorCount = 0\r\n            $SecondsToSleep = 1\r\n            $TimeOut = 120\r\n            while ($CompressError) {\r\n                try {\r\n                    $CompressError = $false\r\n                    Compress-Archive @CompressArchiveSplat -ErrorAction Stop\r\n                    break\r\n                }\r\n                catch {\r\n                    $CompressError = $true\r\n                }\r\n\r\n                if ($CompressError) {\r\n                    if ($ErrorCount -gt $TimeOut) {\r\n                        Write-Host \"[Warn] Skipping compression... Timed out.\"\r\n                    }\r\n                    if ($ErrorCount -eq 0) {\r\n                        Write-Host \"[Info] Waiting for wevtutil.exe to close file.\"\r\n                    }\r\n                    Start-Sleep -Seconds $SecondsToSleep\r\n                }\r\n                $ErrorCount++\r\n            }\r\n            if ($CompressError) {\r\n                Write-Host \"[Error] Failed to Compress Event Logs.\"\r\n            }\r\n            else {\r\n                Write-Host \"[Info] Compressed Event Logs to $($Destination)\"\r\n            }\r\n        }\r\n        catch {\r\n            Write-Host \"[Error] Failed to compress event logs.\"\r\n        }\r\n\r\n        if ($(Test-Path -Path $Destination -ErrorAction SilentlyContinue)) {\r\n            Write-Host \"[Info] Removing Temporary Event Logs...\"\r\n            foreach ($EventLogPath in $JoinedPaths) {\r\n                try {\r\n                    Remove-Item -Path $EventLogPath -Force -ErrorAction SilentlyContinue\r\n                    Write-Host \"[Info] Removed Temporary Event Logs: $EventLogPath\"\r\n                }\r\n                catch {}\r\n            }\r\n        }\r\n        else {\r\n            Write-Host \"[Info] Renaming Event Logs...\"\r\n            foreach ($EventLogPath in $JoinedPaths) {\r\n                if ($(Test-Path -Path $EventLogPath -ErrorAction SilentlyContinue)) {\r\n                    try {\r\n                        $NewPath = Rename-Item -Path $EventLogPath -NewName \"$($EventLogPath.BaseName)-$(Get-Date -Format yyyy-MM-dd-HH-mm).evtx\" -PassThru -ErrorAction Stop\r\n                        Write-Host \"[Info] Event Logs saved to: $NewPath\"\r\n                    }\r\n                    catch {\r\n                        Write-Host \"[Info] Event Logs saved to: $EventLogPath\"\r\n                    }\r\n                }\r\n                else {\r\n                    Write-Host \"[Info] Event Logs saved to: $EventLogPath\"\r\n                }\r\n            }\r\n        }\r\n    }\r\n    else {\r\n        Write-Host \"[Error] No Event Logs were specified.\"\r\n        exit 1\r\n    }\r\n}\r\nend {\r\n    \r\n    \r\n    \r\n}<\/pre>\n
 <\/p>\n\n
Gagnez du temps gr\u00e2ce \u00e0 plus de 300 scripts du Dojo NinjaOne.<\/p>\n
\u2192 Obtenir l’acc\u00e8s<\/a><\/p>\n<\/div>\n
Description d\u00e9taill\u00e9e<\/h2>\n
Le script est structur\u00e9 de mani\u00e8re \u00e0 atteindre les objectifs suivants\u00a0:<\/p>\n
    \n
  1. Exporter les journaux d’\u00e9v\u00e9nements<\/strong>\u00a0: pour extraire des journaux sp\u00e9cifiques (par exemple, syst\u00e8me, s\u00e9curit\u00e9) en fonction des donn\u00e9es fournies par l’administrateur.<\/li>\n
  2. Filtrage des dates<\/strong>\u00a0: il est possible de filtrer les journaux en fonction des dates de d\u00e9but et de fin.<\/li>\n
  3. Compression<\/strong>\u00a0: pour enregistrer les journaux export\u00e9s sous la forme d’un fichier .zip compress\u00e9 afin d’optimiser le stockage.<\/li>\n
  4. Nettoyage<\/strong>\u00a0: pour supprimer les fichiers journaux temporaires apr\u00e8s la compression.<\/li>\n<\/ol>\n
    Composants cl\u00e9s<\/h2>\n
    1. Contr\u00f4les pr\u00e9liminaires<\/h3>\n