×

Exporting Windows Event Logs Using PowerShell: A Step-by-Step Guide

2024/12/09

For those with admin rights, Windows provides two powerful commands to export Windows Event Logs through PowerShell. This task can be performed effortlessly in various ways by utilizing the Get-WinEvent or Get-EventLog cmdlets, depending on the Windows version you are using.

Exporting Windows Event Logs via PowerShell

Below are the three commands to retrieve event logs using PowerShell:

  • Utilizing Get-WinEvent
  • UtilizingGet-EventLog
  • Utilizing wevtutil for Raw EVTX Logs

These commands can be executed in either PowerShell or Windows Terminal.

1] Using Get-WinEvent

To export the System log directly into a. csv file, you can use the following command:

Get-WinEvent -LogName System | Export-Csv -Path "C:\Log\SystemLog.csv"-NoTypeInformation

In this case, LogName System refers to the logs generated for the system, exporting them in CSV format.

If you are looking to capture logs from the past 24 hours in. csv format, you can run:

Get-WinEvent -LogName Application -StartTime (Get-Date).AddDays(-1) | Export-Csv -Path "C:\Logs\ApplicationLastDay.csv"-NoTypeInformation

2] Using Get-EventLog

To export the Application log directly to a text file, use the following command:

Get-EventLog -LogName Application | Out-File -FilePath "C:\Log\ApplicationLog.txt"

Here, LogName Application signifies the logs created for applications, with the output stored as a plain text file.

3] Using wevtutil for Raw EVTX Logs

EVTX files represent Windows Event Log files formatted in the proprietary. evtx style utilized by the Windows Event Log service. These files function as a repository for logging various events such as system errors, application issues, and security audits generated by both the operating system and installed applications.

wevtutil epl Security "C:\Logs\SecurityLog.evtx"

The epl here denotes Export Log, and this command outputs logs in their original EVTX format. One of the advantages of creating an EVTX file is its immediate accessibility in the event viewer.

Hope this information proves beneficial.

How to Access EVTX Files?

Various tools enable you to open and analyze EVTX files; however, the most prevalent method is through the Event Viewer, a built-in application in Windows that facilitates the viewing and interpretation of event logs. To launch it, press Win + R, type eventvwr, and select the “Open Saved Log” function to load external EVTX files.

Is it Possible to Convert EVTX Files to CSV?

Yes, EVTX files can be transformed into more manageable formats such as CSV or plain text for simplified analysis. You can utilize the Get-WinEvent cmdlet in PowerShell to extract particular event data and export it into a CSV file, or you could use tools like Evtx2Json or Log Parser.

Get-WinEvent -LogName Application | Export-Csv -Path "C:\Logs\ApplicationLog.csv"-NoTypeInformation

Author: Egor Kostenko

My goal is to make complex technical topics simple and accessible. On this site, I gather unique and useful content that not only solves users’ problems but also helps them better understand the capabilities of Windows.

Leave a Reply

Your email address will not be published. Required fields are marked *