Hello all,
I am able to query and filter windows events using Get-EventLog but as of now i am only able to export the events into a csv file.
Is there any way to export them into .evtx files via powershell.
thanks!
-gariki
There are no cmdlets to do that. But Windows has a built-in utility to do it- wevtuil.exe.
Usage: wevtutil { epl | export-log } <PATH> <TARGETFILE>
For example:
wevtutil epl System C:\backup\system0506.evtx
Thanks for that confirmation Sean.
Ok onto learning more about the wevtutil. I have been playing with it early this morning and this is what i have so far. Trying to filter events caused by a particular provider (VSS in this case). The evtx file gets created but is empty. Something is probaly wrong with my query. Any clues?
wevtutil.exe epl System C:\temp\VSSLog.evtx /q:“*[System[Provider[@Name=‘VSS’]]] ” /ow:true
You can use the System.Diagnostics.Eventing.Reader .Net classes:
$EventSession = New-Object System.Diagnostics.Eventing.Reader.EventLogSession
$EventSession.ExportLog('System','LogName',"*[System[EventID = 1]]",'export.evtx')