Filter .evtx file

Hi all, I’m trying to export some events from a .evtx file. I tried to use WEVTUTIL but this tool reeds directly from system event viewer. I belive Get-WinEvent and Get-EventLog can’t export to .evtx format file.

In other words my input and my output must be a .evtx file.

Thanks.

Hi,

 

Try this way :

https://itluke.online/2018/10/31/how-to-backup-export-an-event-log-to-an-evtx-file-with-powershell/

 

You can even make a own eventlog and export that with only the lines you need

Hi Bart, I’ve visited the link. I think Get-WmiObject can’t read from a evtx file. In my case I have a archive of evtx files, and sometimes we need to search some information from these files. I need to open a evtx file, search some event and export this data to another evtx file. Other cmdlets can do this but none can export the results to a evtx format file, this cmdlets can export to CSV or TXT but if you try to load this file (CSV or TXT) on the eventviewer software it fails.

Thanks.

no i cannot read from a evtx file, but you can import those in a machine and read it from there,

get events needed, use new-event… command to write the file to your own eventlog, and export that one with only your events

Read from evtx:

Get-WinEvent -Path 'C:\Test\Windows PowerShell.evtx'

Maybe you can load the evtx into the system, and then save it with wmi?

no i cannot read from a evtx file, but you can import those in a machine and read it from there,
get events needed, use new-event.... command to write the file to your own eventlog, and export that one with only your events
I've tried to create a new temporal eventlog with "new-EventLog" cmdlet, and later use "Write-EventLog" to load events but this cmdlet don't let load all the info. For example you can't load the source date of the event.