3

I'm looking to export a large quantity of saved Security log files (.evtx) to text or CSV format. I found wevtutil but that only seems to be able to convert .evt to .evtx when dealing with saved log files:

wevtutil epl c:\logs\seclog.evtx c:\logs\seclog.txt /lf:true

The file is created as seclog.txt but it is in .evtx format.

Is it possible to convert to text or is there another way to convert the files to text as quickly? I tried with Powershell but it takes too long.

Edit: I've looked into Log Parser and it seems quick as well but it doesn't export the description field correctly:

The description for Event ID xxx in Source "Microsoft-Windows-xxxx" cannot be found. The local computer may not have the...
smwk
  • 570
  • 2
  • 5
  • 14
  • 1
    Did you look at logparser? Expect this to take a while (if it's a large set) irrespective of tool. – Jim B Jun 13 '16 at 19:16
  • I've looked at Log Parser before but didn't find it quicker than Powershell. To give an idea on the workload I have to take aprox 1300 files (or 1TB uncompressed) and parse about 1.7 billion records. I have to work on each file individually as I only have a small amount of disk space. – smwk Jun 13 '16 at 19:34
  • It's not the tool it's the event log that's likely slowing things down. If it were me, I'd probably dump the whole thing to another server, export it to sql then do my filters in sql – Jim B Jun 13 '16 at 20:40
  • With Powershell I would say it is the tool slowing it down, get-winevent is very slow. Unfortunately SQL is not an option in this case. – smwk Jun 13 '16 at 20:54
  • Why is SQL not an option? Get-winevent is using the same classes that the other tools use. try running get-winevent by itself and see if the responses are slow to write to the console – Jim B Jun 14 '16 at 03:42
  • It's not an option because I haven't been provided with SQL Server and getting the resources allocated would take too long. Log Parser seems to be the best option, it takes about 2 minutes to convert to text and after that I process it using the .net classes. Get-winevent takes about 10 minutes just to tell you how many events there are. – smwk Jun 14 '16 at 09:23
  • You can download a sql server trial, or use express as a permanent solution (although with a terabyte source, I'm not sure how small that would drop to with sql). If it's taking 10 minutes, it must be because you told it to retrieve the entire dataset just to give you a count. That should be close to the amount of time to convert the event objects to the stripped down text version. – Jim B Jun 14 '16 at 12:10
  • It's not my server to go installing SQL on. Get-winevent loads the entire log file and takes over an hour to go through the logs, my solution below is quicker. Thanks for pointing me in the right direction with Log Parser, seem to recall it being slower when I last used it. – smwk Jun 14 '16 at 16:46
  • how long does this command take: Get-WinEvent -ListLog * |Where-Object {$_.RecordCount} get-winevent should return very quickly. Logparser default should be much quicker (as you've observed) because it's only a text parser and not an eventlog parser (events can be very larger vs just text as they contain a full xml record vs just the event data you normally see) – Jim B Jun 14 '16 at 18:04

4 Answers4

2

In the end I went with Log Parser to convert to CSV and then [System.IO.File]::ReadLines($filename) to search through the text. An 800MB .evtx file can be converted in about 2 min 30 sec and then reading through the file takes about 2 mins. Possibly it could be quicker exporting to XML or into a database but it will do for me with the amount of time I had to spend.

$logparser = "c:\program files (x86)\Log Parser 2.2\logparser.exe"
$query = "SELECT * INTO c:\logs\logs.csv FROM c:\logs\logs.evtx"

& $logparser -i:evt -o:csv $query
smwk
  • 570
  • 2
  • 5
  • 14
0

I needed to bulk convert a bunch of .evtx to .txt files - I did end up getting Log Parser to convert to .csv (which i can then rename .txt), but the easiest way (and only uses native windows tools) was to use wevtutil.

wevtutil /qe File.evtx /lf: true will open and display the .evtx file in a cmd. All you have to do is make it output that output as a .txt!

wevtutil /qe File.evtx /lf: true > File.txt

I made a batch script that will recursively check a folder for all your nicely dated event files and will convert each .evtx file to a .txt inside that folder:

set spath=\\SERVER\Share\Audits
set eventLogDir="dir /B /s %spath% | findstr  \.evtx$"
FOR /F %%d in ('%eventLogDir%') do wevtutil qe %%d /lf:true > %%d.txt

Edit - I did realize that the query output from wevtutil is not very nice to read. Using Log Parser instead with my script, i was able to get a nicer output and save still with .txt

set spath=\\SERVER\Share\Audits
set eventLogDir="dir /B /s %spath% | findstr  \.evtx$"
FOR /F %%d in ('%eventLogDir%') do "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" "Select * into %%d.txt from %%d" -i:evt -o:csv
mforsetti
  • 2,666
  • 2
  • 16
  • 20
Dan H.
  • 1
  • 1
0

If you're looking for a point-and-click way to convert EVTX files, you could try Gigasheet. It's a web-based application that parses EVTX and you can export data in CSV format. You can upload up to 99 files concurrently, and it's free to upload files up to 10GB.

Full details here: https://www.gigasheet.co/post/online-evtx-parser-and-viewer

Our parsing in Gigasheet is based on the Rust EVTX parser by @omerbenamram. Looking at the benchmarks on Github, it looks like the performance should be great for most applications: https://github.com/omerbenamram/evtx

Full disclosure: I'm co-founder at Gigasheet.

Jason
  • 1
  • 1
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/502283) – djdomi Nov 09 '21 at 06:59
0

As far as I remember, LogParser was not able to extract all event information (I mean both System and EventData that you can see in the xml view for each event in the EventViewer). Therefore, I went with powershell. My script works well, but is very slow: it needs about 80 seconds to convert 10 Mb .evtx file...

$a = Get-Item *.evtx
$output_file = [System.IO.StreamWriter] $("all.csv")
foreach($file in $a){
    $events = get-winevent -path $file.FullName

    foreach ($Event in $events) { 
        $xml = [xml]($Event.ToXml())

        foreach ($s in $xml.Event.System.ChildNodes) {
            $output_file.Write($s.Name + ":" + $s.InnerText + ",")
        }
        foreach ($d in $xml.Event.EventData.Data) {
            $text = $d.InnerText
            $text = if ($text) { $text.replace("`n","") } else { $text }
            $output_file.Write($d.Name + ":" + $text + ",")
        }
        $output_file.WriteLine()
    }
}

$output_file.Flush()
$output_file.Close()
Andrey Sapegin
  • 1,201
  • 2
  • 12
  • 27
  • It will export the XML as text as well. Checking all the logs took about 5 days but later I found the best way is to let LogParser to do what it says and parse the events - https://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/ – smwk Jul 07 '16 at 22:06