2

How can I simply export or back-up a custom view from the event viewer? I do not want to export the regular Event logs, such as: System, Application, Security etc. But I want to export automatically my own whole custom view log with event id's.

user3603657
  • 73
  • 2
  • 7

1 Answers1

0

Open up the Custom View properties, select Edit Filter and then switch to the XML tab and copy the filter.

enter image description here

You can now use the filter with PowerShell, like this:

[xml]$CustomView = @"
<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(Level=2 or Level=3) and ( (EventID &gt;= 1000 and EventID &lt;= 2000) )]]</Select>
  </Query>
</QueryList>
"@

Get-WinEvent -FilterXML $CustomView | Export-CSV "C:\LogFiles\CustomView_$(Get-Date -format "yyyy-MM-DD").log"

Set up a scheduled task to run a script like the above every week

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
  • And how can I put this in a scheduled task in the Task Scheduler? I want this custom view every week on friday in a *.evtx file if possible. Should I run a script or something with the Task Scheduler? – user3603657 May 05 '14 at 10:37
  • I've put this in a .ps1 file and ran it with PowerShell but nothing happens. The PowerShell appears, but disappears within 1 second and nothing happens after that. No folder is create on C:\ or such. How to fix it? – user3603657 May 05 '14 at 11:47
  • If you used my exact query you probably won't get any results. Run the script from within an existing powershell session to see any errors it might produce – Mathias R. Jessen May 05 '14 at 11:51
  • I still get errors but it's dissappearing so quickly, I can't even read it. Within 1 second it's gone. Can you test your script for errors perhaps? – user3603657 May 06 '14 at 10:04
  • I've managed to get it working but now it's saving as a .log file. Isn't there a way to save it as a .xml or csv to open in an Excel sheet? How to make it human readable?? Can I save it as .evtx to open in the Event Viewer? – user3603657 May 06 '14 at 13:07