Converting Windows Event Logs to CSV file

Powershell script i present in this article converting Windows EventLogs to CSV file.

I decided to create this script after working on several projects where i had to analyze Windows Logs with Powershell.

You could question : why do you need this? as standard Windows Event Viewer has “Export to CSV” functionality.

I was not satisfied with EventViewer standard Export to CSV. Windows Event Log record is actually a XML data stored in .evtx file. And each record looks like:

There are two main sections: <System> and <EventData>. <System> has defined and fixed number of event realted elements. The <EventData> has eventID dependent nuber of elements. In example above we can see what Event with EventID=5061 has 10 data elements in <EventData>. Actually all event records with EventID=5061 will have 10 <EventData> elements.

Main problem with standard export of eventlog to CSV file – what it exports all data of <EventData> structure to one column, it is not possible to use filtering, and sorting by elements contained in this structure. While this elements are very interesting  – it is usernames, IP addresses, SID’s.

My script enumerate elements of <EventData> structure and put each of them to separate column of CSV file:

You can download program code fom my github repository

Program parameters:

  • paramPathToSaveFiles – path to create log file, if not specified will take current script execution path.
  • paramAllLogsOrSingleLog – name of an Event Log channel to process (“security”, “application” for example), or “all” – in this case it will process all chanells registered in the system to a single CSV file. Each channel will have diferent ContainerLog column value (actually a channel name). Be carefull with “all” paramater – it can run long and create huge CSV file

Two files are created in the same folder where run program is located:

    <yyyyMMdd-HHmmss>_<hostname>_eventlog_scope<channel_name|all>.csv” – containing actual data exported to CSV file

    <yyyyMMdd-HHmmss>_<hostname>_eventlog_scope<channel_name|all>.log” – all messages the program prints to screen. At the end contains OS and Powershell versions and currently run script contents.

Notes:

  • Run in elevated powershell (RunaAs administrator). Reading channels like “Security” requires this.
  •     For all exported elements of event log it will replace ” to ‘ to avoid confusion with CSV structure.
  •     Program gives me processing speed ~25 records per second if run on Powershell 5.2, and ~600 records per second if run on Powershell.7.x
  •     At the end of a program there is an example code which reads just created CSV and filters it by extracting interactive logons and LDAP connections
  •     Program is created as Proof Of Concept and provided as is, with absolutely no warranty expressed or implied. Any use is at your own risk.

Leave a Reply

Your email address will not be published. Required fields are marked *