Convert saved evtx files to text

wevtutilwindows-event-logwindows-server-2008-r2

I'm looking to export a large quantity of saved Security log files (.evtx) to text or CSV format. I found wevtutil but that only seems to be able to convert .evt to .evtx when dealing with saved log files:

wevtutil epl c:\logs\seclog.evtx c:\logs\seclog.txt /lf:true

The file is created as seclog.txt but it is in .evtx format.

Is it possible to convert to text or is there another way to convert the files to text as quickly? I tried with Powershell but it takes too long.

Edit: I've looked into Log Parser and it seems quick as well but it doesn't export the description field correctly:

The description for Event ID xxx in Source "Microsoft-Windows-xxxx" cannot be found. The local computer may not have the...

Best Answer

In the end I went with Log Parser to convert to CSV and then [System.IO.File]::ReadLines($filename) to search through the text. An 800MB .evtx file can be converted in about 2 min 30 sec and then reading through the file takes about 2 mins. Possibly it could be quicker exporting to XML or into a database but it will do for me with the amount of time I had to spend.

$logparser = "c:\program files (x86)\Log Parser 2.2\logparser.exe"
$query = "SELECT * INTO c:\logs\logs.csv FROM c:\logs\logs.evtx"

& $logparser -i:evt -o:csv $query

Related Solutions

Windows – Turn Windows Event Logs EVT files into Syslog to send to LogLogic

Found Log Parser 2.2 from Windows which will convert to text.

Powershell – Parse wevtutil XML into a database

I'm doing exactly this in a script by way of PowerShell. The whole upload-to-database script is about 18K so I'm not going to repost the entire thing here (though I have the generic ideas here). Handling the XML is pretty simple.

The command to get the event data is what you already know.

wevtutil qe Security /r:$DC /q:"*[System[((EventID=$LogonID or EventID=$FLogonID or EventID=$LogoffID or EventID=$LockoutID) and TimeCreated[@SystemTime > '$LUFilterString'] and TimeCreated[@SystemTime < '$NowFilterString'] )]] " > $DC-events.xml

The variables in that should be clear. I'm tracking login, logout, and lockout events. Generating the "NowFilterString" in the funny format wevtutil requires:

$Now=get-date
$Msec=$now.Millisecond
$NowFilterString=$Now.AddSeconds(-1).AddMilliseconds(-$Msec).ToUniversalTime().ToString("O")

I'm truncating the milliseconds down to zero to better handle edge cases.

So now you have an XML file. Now what? To parse that XML file:

get-content ".\$DC-events.xml" | foreach {
    $Event=[xml]$_
    $DateTime=[datetime]$Event.event.System.TimeCreated.GetAttribute("SystemTime")
    codecodecodecode
}

Accessing individual elements is done by:

foreach ($Data in $Event.event.EventData.get_childNodes()) {
            if ($Data.Name -eq "TargetUserName") { $User=$Data."#text"}
            elseif ($Data.Name -eq "IpAddress") {$IP=$Data."#text"}
        }

Or another example

foreach ($Data in $Event.event.EventData.get_childNodes()) {
    if ($Data.Name -eq "TargetUserName") {$User=$Data."#text"}
       elseif ($Data.Name -eq "WorkstationName") {$MachineName=$Data."#text"}
       elseif ($Data.Name -eq "IpAddress") {$IP=$Data."#text"}
       # Ensure only failed logins to the right domain are processed:
       elseif ($Data.Name -eq "TargetDomainName") {$Domain=$Data."#text"}
    }

I hope this helps you figure out XML parsing. Since this is PowerShell, most of these are readily convertible to standard .NET calls.

Best Answer

Related Solutions

Windows – Turn Windows Event Logs EVT files into Syslog to send to LogLogic

Powershell – Parse wevtutil XML into a database

Related Topic