Converting csv to evtx

This topic contains 3 replies, has 2 voices, and was last updated by  Kirill 2 weeks, 1 day ago.

  • Author
    Posts
  • #80536

    Kirill
    Participant

    Hi guys,

    I'm a newbie on your forum, tho I tried to use search to find an answer I had no luck with it...
    My question basically is:
    Is there a way to convert csv exported events back to evtx with powershell?
    Is it possible at all?
    There are numerous ways to export events to csv or to convert evtx to csv, but I'm struggling to find a way to do it other way around.
    Any tips would be appreciated 🙂

    P.S. i'm just learning PowerShell so it would be really generous from your side to provide tips on how to realize this, insted of providing the solution itself 🙂

  • #81106

    Kirill
    Participant

    Any suggestions? 🙂

  • #81109

    Simon B
    Participant

    What are you trying to achieve? Do you want the contents of the csv file imported into the events log ? If you you may have some luck with the Write-Eventlog command
    This is an untested idea but you could get the contents of your CSV file into a variable and pass this to the Write-Eventlog

    See https://blogs.technet.microsoft.com/heyscriptingguy/2013/02/01/use-powershell-to-create-and-to-use-a-new-event-log/

    • #81176

      Kirill
      Participant

      Simon, thanks for your reply.

      I apologize for bad description...
      Idea is that I receive exported events (for example System events) in csv format from some DR location.
      Once I receive this csv file, it's not really convenient for me to look through it, so I would like to find a way to transform this csv back to evtx format. So I could just open it in eventviewer.

      Write-EventLog cmdlet unfortunately won't give this opportunity (though I wrote a small script to get some data from csv).
      Mentioned cmdlet couldn't import event time (assigned on the fly, as I see).
      Also, it won't allow me to use idfferent sources (if I specify source "Exchange" it won't allow to import event with MSSQL$2016 source).
      And last, but not least it can't import all EntryTypes correctly (as in csv there is entrytype "critical" and powershell errors out on this: Write-EventLog : Cannot bind parameter 'EntryType'. Cannot convert value "Critical" to type "System.Diagnostics.EventLogEntryType". Error: "Unable to match the identifie
      r name Critical to a valid enumerator name. Specify one of the following enumerator names and try again:
      Error, Warning, Information, SuccessAudit, FailureAudit")

      I'm pretty sure that last error can be workarounded with an if statement 🙂
      But my main concern here is that I lose all timestaps and they are really important in this case.
      I hope this clarifies what I want to achieve. And I'm pretty sure that there should be a way to do it 🙂

You must be logged in to reply to this topic.