Filter .evtx file

Welcome Forums General PowerShell Q&A Filter .evtx file

This topic contains 5 replies, has 3 voices, and was last updated by

 
Participant
3 months ago.

  • Author
    Posts
  • #158027

    Participant
    Topics: 2
    Replies: 4
    Points: 17
    Rank: Member

    Hi all, I'm trying to export some events from a .evtx file. I tried to use WEVTUTIL but this tool reeds directly from system event viewer. I belive Get-WinEvent and Get-EventLog can't export to .evtx format file.

    In other words my input and my output must be a .evtx file.

    Thanks.

  • #158048

    Participant
    Topics: 3
    Replies: 50
    Points: 354
    Helping Hand
    Rank: Contributor

    Hi,

     

    Try this way :

    https://itluke.online/2018/10/31/how-to-backup-export-an-event-log-to-an-evtx-file-with-powershell/

     

    You can even make a own eventlog and export that with only the lines you need

  • #158054

    Participant
    Topics: 2
    Replies: 4
    Points: 17
    Rank: Member

    Hi Bart, I've visited the link. I think Get-WmiObject can't read from a evtx file. In my case I have a archive of evtx files, and sometimes we need to search some information from these files. I need to open a evtx file, search some event and export this data to another evtx file. Other cmdlets can do this but none can export the results to a evtx format file, this cmdlets can export to CSV or TXT but if you try to load this file (CSV or TXT) on the eventviewer software it fails.

    Thanks.

  • #158063

    Participant
    Topics: 3
    Replies: 50
    Points: 354
    Helping Hand
    Rank: Contributor

    no i cannot read from a evtx file, but you can import those in a machine and read it from there,

    get events needed, use new-event.... command to write the file to your own eventlog, and export that one with only your events

  • #158112
    js

    Participant
    Topics: 24
    Replies: 671
    Points: 1,564
    Helping Hand
    Rank: Community Hero

    Read from evtx:

    Get-WinEvent -Path 'C:\Test\Windows PowerShell.evtx'
    

    Maybe you can load the evtx into the system, and then save it with wmi?

  • #158219

    Participant
    Topics: 2
    Replies: 4
    Points: 17
    Rank: Member

    no i cannot read from a evtx file, but you can import those in a machine and read it from there,

    get events needed, use new-event.... command to write the file to your own eventlog, and export that one with only your events

    I've tried to create a new temporal eventlog with "new-EventLog" cmdlet, and later use "Write-EventLog" to load events but this cmdlet don't let load all the info. For example you can't load the source date of the event.

The topic ‘Filter .evtx file’ is closed to new replies.