Wevtutil to output event log description
12,664
You can use /f:text modifier and grep with ^|FIND "Description"
wevtutil qe Application /q:*[System[(EventID=431)]] /f:text /rd:true /c:2 /gm:true ^|FIND "Description" > C:\query.txt
Note the ^ before the pipe, it escapes the pipe in scripts.
Related videos on Youtube
![How to Set up Windows Event Log Forwarding [Step-by-Step]](https://i.ytimg.com/vi/urRWkyzRI78/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBoCx5v8X3PgWjOZkeWm_rN0OeYwA)
05 : 45
How to Set up Windows Event Log Forwarding [Step-by-Step]
03 : 40
Forensic investigation Event Log Explorer windows event log forensics
03 : 14
Windows Pentesting Lab Walkthrough: Log Management with Wevtutil
07 : 21
Event Viewer & Windows Logs
08 : 00
How To Use The Windows Event Viewer For Cyber Security Audit
01 : 16
How to show System Event Log
12 : 39
Get-EventLog - How to search for things in the Windows Eventlog using PowerShell
01 : 03 : 09
Event Log Management in Windows | TryHackMe Windows Event Logs
02 : 58
How to Export Event Viewer Logs? | Veela Basic
Author by
K20GH
Updated on June 04, 2022Comments
-
K20GH about 2 years
Is there anyway to only output the description field in an event log entry?
Im current using:
wevtutil qe Application /q:*[System[(EventID=431)]] /f:text /rd:true /c:2 /gm:true > C :\query.txtHowever this output everything. I just want to output the description which is under:
<EventData> <Data> Description bllah blah</data> </EventData> -
Shannon about 10 years/gm:true doesn't appear to be a valid argument, and when I remove it all I get are single lines containing " Description:"
-
Shannon about 10 yearsI don't think /gm:true available for the "qe" command. I think the key is to not use "/f:text". In XML format, it will give you the /Event/EventData/Data element.
