SP 2010/2013/2016: Get Event Logs from all the SharePoint Servers in the Farm for specific time period

Article
05/18/2016

Several times while troubleshooting SharePoint Issues, we require event logs from all the SharePoint Servers or specific SharePoint Servers for a particular time period. We usually tend to manually gather that info. It is easy to gather it manually as far as you have one or two servers in the farm, however the challenge arises when you have several servers in the farm. Manually gathering these logs becomes very tedious process and at times there is possibility we missing logs from few servers.

To avoid this I’ve created a simple PowerShell script to gather logs from all the SharePoint Servers (WFE, Application, Search, Distributed Cache etc…) in the farm excluding non-SharePoint servers like SQL and Exchange etc…

This script helps to capture different event logs like Application, System, Security etc…

It can be tweaked as per your requirement. You can select different fields, specific event ids, or event/entry type like information, warning, error etc…

----------------------------------------------

Add-PSSnapin Microsoft.SharePoint.PowerShell

#Start Time. Specify it based on your calendar system. Below it is mentioned "mm/dd/yyyy hh:mm:ss" format. You may want to change if your time setting is "dd/mm/yyyy hh:mm:ss".
$starttime="5/15/2016 10:00:00"

#End Time. Specify it based on your calendar system. Below it is mentioned "mm/dd/yyyy hh:mm:ss" format. You may want to change if your time setting is "dd/mm/yyyy hh:mm:ss".
$endtime="5/15/2016 12:40:00"

#Log File Path
$logpath="C:\Scripts"

#Log File Type Application,Security,System etc...
$logname="System"

#Event/Entry Type like Error,Warning,Information,FailureAudit,SuccessAudit
$EntryType="Error","Information","FailureAudit","SuccessAudit","Warning"

#Role Invalid is for non SP Server like SQL, Exchange
$spservers=Get-SPServer | where{$_.Role -ne "Invalid"}

foreach($spserver in $spservers)
{
$filename=$spserver.name
Get-EventLog -LogName $logname -After $starttime -Before $endtime -ComputerName $spserver.name -EntryType $EntryType | select TimeGenerated,Source,EntryType,EventId,Message,UserName | export-csv -Path $logpath\$filename'_'$logname.csv

}

----------------------------------------------

Post By: Paresh Gandhi [MSFT]

SP 2010/2013/2016: Get Event Logs from all the SharePoint Servers in the Farm for specific time period

Add-PSSnapin Microsoft.SharePoint.PowerShell

#Start Time. Specify it based on your calendar system. Below it is mentioned "mm/dd/yyyy hh:mm:ss" format. You may want to change if your time setting is "dd/mm/yyyy hh:mm:ss".$starttime="5/15/2016 10:00:00"

#End Time. Specify it based on your calendar system. Below it is mentioned "mm/dd/yyyy hh:mm:ss" format. You may want to change if your time setting is "dd/mm/yyyy hh:mm:ss".$endtime="5/15/2016 12:40:00"

#Log File Path$logpath="C:\Scripts"

#Log File Type Application,Security,System etc...$logname="System"

#Event/Entry Type like Error,Warning,Information,FailureAudit,SuccessAudit$EntryType="Error","Information","FailureAudit","SuccessAudit","Warning"

#Role Invalid is for non SP Server like SQL, Exchange$spservers=Get-SPServer | where{$_.Role -ne "Invalid"}

foreach($spserver in $spservers){$filename=$spserver.nameGet-EventLog -LogName $logname -After $starttime -Before $endtime -ComputerName $spserver.name -EntryType $EntryType | select TimeGenerated,Source,EntryType,EventId,Message,UserName | export-csv -Path $logpath\$filename'_'$logname.csv

}

----------------------------------------------

Additional resources

#Start Time. Specify it based on your calendar system. Below it is mentioned "mm/dd/yyyy hh:mm:ss" format. You may want to change if your time setting is "dd/mm/yyyy hh:mm:ss".
$starttime="5/15/2016 10:00:00"

#End Time. Specify it based on your calendar system. Below it is mentioned "mm/dd/yyyy hh:mm:ss" format. You may want to change if your time setting is "dd/mm/yyyy hh:mm:ss".
$endtime="5/15/2016 12:40:00"

#Log File Path
$logpath="C:\Scripts"

#Log File Type Application,Security,System etc...
$logname="System"

#Event/Entry Type like Error,Warning,Information,FailureAudit,SuccessAudit
$EntryType="Error","Information","FailureAudit","SuccessAudit","Warning"

#Role Invalid is for non SP Server like SQL, Exchange
$spservers=Get-SPServer | where{$_.Role -ne "Invalid"}

foreach($spserver in $spservers)
{
$filename=$spserver.name
Get-EventLog -LogName $logname -After $starttime -Before $endtime -ComputerName $spserver.name -EntryType $EntryType | select TimeGenerated,Source,EntryType,EventId,Message,UserName | export-csv -Path $logpath\$filename'_'$logname.csv