by tpb1975 at 2012-11-17 06:33:57
Sorry I’m a real newbie, with only one basic PowerShell script under my belt.by DonJ at 2012-11-17 06:42:10
I get sent a lot of Windows Event logs as EVT or EVTX files for review. Currently I’m importing them into the Windows Event View to read. I’d like to parse them for certain data (e.g. group by month, event id, type (e.g. error) to see if errors are starting to creep into the logs before the fault).
I thought this would be a 10 minute job playing with Get-EventLogs, and passing it through Group and Sort.
However I’ve found it’s not that simple. Get-EventLogs seems to only query the core Windows Event logs and can’t be pointed at a file.
I’ve played around with wevtutil but the format produced by the output are not quick and easy imports.
If exported to XML (wevtutil -qe <path>\application.evtx /lf:true -f:xml > output.xml). This produces an XML file that has a new root element for every log entry. So it won’t import into PowerShell as a quick [xml]$a = get-contents <filename>. In addition the description fields are in a binary format. I can parse the multiple root elements out but still seems messy.
If I export to text, I get a consistent output which I could write a loop to read through the output and build an array/object to sort query later. Again seems messy for what I suspect is a trivial task. Also it takes wevtutil a good while to perform a convert from EVT to Text.
Are there any better routes?
Nope. One big reason people spend money on third-party tools that deal with those log files - they’re ugly.by tpb1975 at 2012-11-17 07:05:05
In my days as a Sys Admin I used to use GFI EventLog Manager to pull in event logs from workstations and servers. Came with a good set of rules which could easily be built up. I’m currently working as a 3rd liner for a software company, so I’m getting in other peoples Event Logs. Really I need to find a better way to handle quickly reviewing Event Logs.by MattG at 2012-11-17 14:02:23
Get-WinEvent will read .evt, .evtx, and .etl files. For example, run this from an elevated PowerShell session to read the PowerShell event log:by tpb1975 at 2012-11-17 14:37:33
Get-WinEvent -Path 'C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx'
Absolutely brilliant, it’s PowerShell there had to be a simple way.