Export .evtx files using powershell

Welcome Forums General PowerShell Q&A Export .evtx files using powershell

Viewing 3 reply threads
  • Author
    Posts
    • #199802
      Participant
      Topics: 1
      Replies: 1
      Points: 14
      Rank: Member

      Hello all,

      I am able to query and filter windows events using Get-EventLog but as of now i am only able to export the events into a csv file.

      Is there any way to export them into .evtx files via powershell.

       

      thanks!

      -gariki

    • #199865
      Participant
      Topics: 0
      Replies: 24
      Points: 158
      Helping Hand
      Rank: Participant

      There are no cmdlets to do that. But Windows has a built-in utility to do it- wevtuil.exe.

      Usage: wevtutil { epl | export-log } <PATH> <TARGETFILE>

      For example:

      wevtutil epl System C:\backup\system0506.evtx

    • #199898
      Participant
      Topics: 1
      Replies: 1
      Points: 14
      Rank: Member

      Thanks for that confirmation Sean.

      Ok onto learning more about the wevtutil. I have been playing with it early this morning and this is what i have so far. Trying to filter events caused by a particular provider (VSS in this case). The evtx file gets created but is empty. Something is probaly wrong with my query. Any clues?

      wevtutil.exe epl System C:\temp\VSSLog.evtx /q:“*[System[Provider[@Name=’VSS’]]] ” /ow:true

       

    • #199994
      Participant
      Topics: 0
      Replies: 14
      Points: 151
      Rank: Participant

      You can use the System.Diagnostics.Eventing.Reader .Net classes:

      $EventSession = New-Object System.Diagnostics.Eventing.Reader.EventLogSession 
      $EventSession.ExportLog('System','LogName',"*[System[EventID = 1]]",'export.evtx')

       

Viewing 3 reply threads
  • The topic ‘Export .evtx files using powershell’ is closed to new replies.