|
|
|
How to export Windows events stored in .evtx file to csv file from command line
|
FullEventLogView is a utility for Windows that allows you to view and export the events from the event log of Windows. You can extract the events from your local machine, remote computer, and external .evtx files.
The events of Windows event log are stored in .evtx files, and you can usually find them in C:\windows\system32\winevt\Logs .
You can extract the events using FullEventLogView from .evtx files stored in your local system (As long as they are not locked and you have read permission)
and from .evtx files stored on external drive.
Here's some command-line examples to show you how to export Windows events stored in .evtx files to to csv file (Comma-Delimited file), using the FullEventLogView tool:
- Export all events stored in K:\windows\system32\winevt\Logs (external disk) to events_list.csv .The '/DataSource 3' requests to load events from a folder with .evtx files, and '/TimeFilter 0' requests to load without time filter.
FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "K:\windows\system32\winevt\Logs" /LogFolderWildcard "*"
- Export all events in the specified time range (01.01.2019 - 31.01.2019) stored in C:\Shared\Logs to csv file. The /TimeFilter 2 command requests to load only events in the time range specified in /FromTime and /ToTime. The time range must be in 'dd-mm-yyyy hh:mm:ss' format.
FullEventLogView.exe /scomma "c:\temp\events_list.csv" /DataSource 3 /LogFolder "C:\Shared\Logs" /LogFolderWildcard "*" /TimeFilter 2 /FromTime "01-01-2019 00:00:00" /ToTime "31-01-2019 00:00:00"
- Export only events of Microsoft-Windows .evtx files: (The /LogFolderWildcard specifies the wildcard of the .evtx files you want to load)
FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "F:\windows\system32\winevt\Logs" /LogFolderWildcard "Microsoft-Windows*.evtx"
- Export to .csv file only the events of a single .evtx file (Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx)
FullEventLogView.exe /scomma "c:\temp\wlan_events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "F:\windows\system32\winevt\Logs" /LogFolderWildcard "Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx"
- Export to .csv file all events stored in archive .evtx files on local system. The /RunAsAdmin command requests elevation in order to read the .evtx files on local system.
FullEventLogView.exe /RunAsAdmin /scomma "c:\temp\archive_events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "C:\windows\system32\winevt\Logs" /LogFolderWildcard "archive*.evtx"
- If you have a lot of events to export inside .evtx files, it's recommended to use the /SaveDirect command, so the events will be saved directly to the file without loading them into the memory first:
FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "K:\windows\system32\winevt\Logs" /LogFolderWildcard "*" /SaveDirect
- Export to a file only the critical events stored inside .evtx files
FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "C:\Shared\Logs" /LogFolderWildcard "*" /ShowWarning 0 /ShowInformation 0 /ShowUndefined 0 /ShowVerbose 0 /ShowError 0 /ShowCritical 1
- Export all events stored in .evtx files, except of the events with the specified Event IDs (7000,7036,3005,4001,4002). '/EventIDFilter 3' means - don't load the events with the Event IDs specified in /EventIDFilterStr
FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "C:\Shared\Logs" /LogFolderWildcard "*" /EventIDFilter 3 /EventIDFilterStr "7000,7036,3005,4001,4002"
- Export all events stored in .evtx files, and sort the list by Channel and then by Event Time (Secondary sort). Be aware that the /sort command doesn't work when /SaveDirect command is used.
FullEventLogView.exe /Sort "Channel" /Sort "Event Time" /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "C:\Shared\Logs" /LogFolderWildcard "*"
You can open the .csv files created by the FullEventLogView tool in Excel.
Be aware that the FullEventLogView tool works on Windows Vista or later, including Windows 10. Windows XP is not supported.
|
|
|