Script to export custom view Event Viewer to .evtx Powershell
You are already using the Export-CSV cmmdlet in the right way, you simply need to change your extension to a .txt. PowerShell will export it for you in a human readable format. It should look like this:
Export-CSV "C:\LogFiles\ServiceTool_Log_$(Get-Date -format "yyyy-MM-dd").txt"
I'm not sure about the .evtx side of things, but doing the Export-CSV to a .txt will always produce a line by line replica of the data you're extracting.
I have referenced this before when trying to get custom data to a CSV/Excel Spreadsheet before too.
This reference provides a way to export a whole log using the wevutil command. You will have to check if it works on your custom view or not.
Related videos on Youtube
19 : 55
27 : 58
12 : 14
01 : 55
02 : 58
user3603657
Updated on September 18, 2022Comments
-
user3603657 almost 2 years
This is my PowerShell script to export data from a Custom View in the Event Viewer via the XML data.
set-executionpolicy unrestricted [xml]$CustomView = @" <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select> <Select Path="Security">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select> <Select Path="Setup">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select> <Select Path="System">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select> <Select Path="ForwardedEvents">*[System[(EventID=4752 or EventID=4720 or EventID=4740 or EventID=4646 or EventID=4747 or EventID=4725 or EventID=4625 or EventID=4728 or EventID=4751)]]</Select> Alot of rules etc... I excluded a couple because it was 300000 characters limited. </Query> </QueryList> "@ Get-WinEvent -FilterXML $CustomView | Export-CSV "C:\LogFiles\ServiceTool_Log_$(Get-Date -format "yyyy-MM-dd").log"How can I export my log as an .evtx or a .csv to make it human readable?
-
user3603657 about 10 yearsIf exported to .csv it's still hard to read. Is there a possibility to convert it to a table or something? Or to a evtx file to open it in the Event Viewer?
-
Brad Bouchard about 10 yearsI'm not sure of a way to convert it to a table, and I haven't tried saving to EVTX. I do know, however, that this post (using wevtutil) social.technet.microsoft.com/Forums/scriptcenter/en-US/… gives a great way to export the System log. Not sure if it can do a custom view but I imagine it could if you get the syntax naming/right. -
Mike Soule over 9 years@user3603657 Once exported to csv, just open Excel and import the csv file as comma delimited. support.office.com/en-za/article/…
