Convert saved evtx files to text

windows-server-2008-r2 windows-event-log wevtutil
13,190

In the end I went with Log Parser to convert to CSV and then [System.IO.File]::ReadLines($filename) to search through the text. An 800MB .evtx file can be converted in about 2 min 30 sec and then reading through the file takes about 2 mins. Possibly it could be quicker exporting to XML or into a database but it will do for me with the amount of time I had to spend.

$logparser = "c:\program files (x86)\Log Parser 2.2\logparser.exe"
$query = "SELECT * INTO c:\logs\logs.csv FROM c:\logs\logs.evtx"

& $logparser -i:evt -o:csv $query
Share:
13,190

Related videos on Youtube

smwk
Author by

smwk

Updated on September 18, 2022

Comments

  • smwk
    smwk almost 2 years

    I'm looking to export a large quantity of saved Security log files (.evtx) to text or CSV format. I found wevtutil but that only seems to be able to convert .evt to .evtx when dealing with saved log files:

    wevtutil epl c:\logs\seclog.evtx c:\logs\seclog.txt /lf:true

    The file is created as seclog.txt but it is in .evtx format.

    Is it possible to convert to text or is there another way to convert the files to text as quickly? I tried with Powershell but it takes too long.

    Edit: I've looked into Log Parser and it seems quick as well but it doesn't export the description field correctly:

    The description for Event ID xxx in Source "Microsoft-Windows-xxxx" cannot be found. The local computer may not have the...
    • raja
      raja about 8 years
      Did you look at logparser? Expect this to take a while (if it's a large set) irrespective of tool.
    • smwk
      smwk about 8 years
      I've looked at Log Parser before but didn't find it quicker than Powershell. To give an idea on the workload I have to take aprox 1300 files (or 1TB uncompressed) and parse about 1.7 billion records. I have to work on each file individually as I only have a small amount of disk space.
    • raja
      raja about 8 years
      It's not the tool it's the event log that's likely slowing things down. If it were me, I'd probably dump the whole thing to another server, export it to sql then do my filters in sql
    • smwk
      smwk about 8 years
      With Powershell I would say it is the tool slowing it down, get-winevent is very slow. Unfortunately SQL is not an option in this case.
    • raja
      raja about 8 years
      Why is SQL not an option? Get-winevent is using the same classes that the other tools use. try running get-winevent by itself and see if the responses are slow to write to the console
    • smwk
      smwk about 8 years
      It's not an option because I haven't been provided with SQL Server and getting the resources allocated would take too long. Log Parser seems to be the best option, it takes about 2 minutes to convert to text and after that I process it using the .net classes. Get-winevent takes about 10 minutes just to tell you how many events there are.
    • raja
      raja about 8 years
      You can download a sql server trial, or use express as a permanent solution (although with a terabyte source, I'm not sure how small that would drop to with sql). If it's taking 10 minutes, it must be because you told it to retrieve the entire dataset just to give you a count. That should be close to the amount of time to convert the event objects to the stripped down text version.
    • smwk
      smwk about 8 years
      It's not my server to go installing SQL on. Get-winevent loads the entire log file and takes over an hour to go through the logs, my solution below is quicker. Thanks for pointing me in the right direction with Log Parser, seem to recall it being slower when I last used it.
    • raja
      raja about 8 years
      how long does this command take: Get-WinEvent -ListLog * |Where-Object {$_.RecordCount} get-winevent should return very quickly. Logparser default should be much quicker (as you've observed) because it's only a text parser and not an eventlog parser (events can be very larger vs just text as they contain a full xml record vs just the event data you normally see)
  • djdomi
    djdomi over 2 years
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - From Review

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot start eventlog service
PowerShell script generates lots of warnings in Windows Event Log
Event ID 8021 The browser was unable to retrieve a list of servers from the browser master
New set up DHCP Server on Server 2008 R2 won't work, Event-ID 1046
Event logger won't start: error 2 The system cannot find the file specified, Windows server 2008R2
Can not see entries in Application Log in Event Viewer
Listing Users using RDP
How to find log about uninstalling program on windows server 2008 R2?
NtpClient will wait 3473457 minutes (over 6 years!) before it will do a new attempt of DNS resolution, eventid 134
How to allow a domain user to write the Windows Event Log (2008 R2 or newer) without Local Admin privileges?