3

This is my PowerShell script to export data from a Custom View in the Event Viewer via the XML data.

set-executionpolicy unrestricted

[xml]$CustomView = @"
<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select>
    <Select Path="Security">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select>
    <Select Path="Setup">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select>
    <Select Path="System">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select>
    <Select Path="ForwardedEvents">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select>

Alot of rules etc... I excluded a couple because it was 300000 characters limited.

  </Query>
</QueryList>
"@

Get-WinEvent -FilterXML $CustomView | Export-CSV "C:\LogFiles\ServiceTool_Log_$(Get-Date -format "yyyy-MM-dd").log"

How can I export my log as an .evtx or a .csv to make it human readable?

user3603657
  • 73
  • 2
  • 7

1 Answers1

1

You are already using the Export-CSV cmmdlet in the right way, you simply need to change your extension to a .txt. PowerShell will export it for you in a human readable format. It should look like this:

Export-CSV "C:\LogFiles\ServiceTool_Log_$(Get-Date -format "yyyy-MM-dd").txt"

I'm not sure about the .evtx side of things, but doing the Export-CSV to a .txt will always produce a line by line replica of the data you're extracting.

I have referenced this before when trying to get custom data to a CSV/Excel Spreadsheet before too.

This reference provides a way to export a whole log using the wevutil command. You will have to check if it works on your custom view or not.

Brad Bouchard
  • 2,527
  • 2
  • 13
  • 22
  • If exported to .csv it's still hard to read. Is there a possibility to convert it to a table or something? Or to a evtx file to open it in the Event Viewer? – user3603657 May 07 '14 at 10:18
  • I'm not sure of a way to convert it to a table, and I haven't tried saving to EVTX. I do know, however, that this post (using wevtutil) http://social.technet.microsoft.com/Forums/scriptcenter/en-US/d3bd105f-3c1c-4aea-b3e6-a5e601145cf3/how-to-backup-application-event-log-to-evtx-file-using-powershell gives a great way to export the System log. Not sure if it can do a custom view but I imagine it could if you get the syntax naming/right. – Brad Bouchard May 07 '14 at 14:06
  • @user3603657 Once exported to csv, just open Excel and import the csv file as comma delimited. https://support.office.com/en-za/article/Import-or-export-text-txt-or-csv-files-5250ac4c-663c-47ce-937b-339e391393ba#bmimport_data_from_a_text_file_by_openi – Mike Soule Feb 16 '15 at 05:01