Powershell script i present in this article converting Windows EventLogs to CSV file.
I decided to create this script after working on several projects where i had to analyze Windows Logs with Powershell.
You could question : why do you need this? as standard Windows Event Viewer has “Export to CSV” functionality.
I was not satisfied with EventViewer standard Export to CSV. Windows Event Log record is actually a XML data stored in .evtx file. And each record looks like:
There are two main sections: <System> and <EventData>. <System> has defined and fixed number of event realted elements. The <EventData> has eventID dependent nuber of elements. In example above we can see what Event with EventID=5061 has 10 data elements in <EventData>. Actually all event records with EventID=5061 will have 10 <EventData> elements.
Main problem with standard export of eventlog to CSV file – what it exports all data of <EventData> structure to one column, it is not possible to use filtering, and sorting by elements contained in this structure. While this elements are very interesting – it is usernames, IP addresses, SID’s.
My script enumerate elements of <EventData> structure and put each of them to separate column of CSV file:
You can download program code fom my github repository
Program parameters:
- paramPathToSaveFiles – path to create log file, if not specified will take current script execution path.
- paramAllLogsOrSingleLog – name of an Event Log channel to process (“security”, “application” for example), or “all” – in this case it will process all chanells registered in the system to a single CSV file. Each channel will have diferent ContainerLog column value (actually a channel name). Be carefull with “all” paramater – it can run long and create huge CSV file
Two files are created in the same folder where run program is located:
<yyyyMMdd-HHmmss>_<hostname>_eventlog_scope<channel_name|all>.csv” – containing actual data exported to CSV file
<yyyyMMdd-HHmmss>_<hostname>_eventlog_scope<channel_name|all>.log” – all messages the program prints to screen. At the end contains OS and Powershell versions and currently run script contents.
Notes:
- Run in elevated powershell (RunaAs administrator). Reading channels like “Security” requires this.
- For all exported elements of event log it will replace ” to ‘ to avoid confusion with CSV structure.
- Program gives me processing speed ~25 records per second if run on Powershell 5.2, and ~600 records per second if run on Powershell.7.x
- At the end of a program there is an example code which reads just created CSV and filters it by extracting interactive logons and LDAP connections
- Program is created as Proof Of Concept and provided as is, with absolutely no warranty expressed or implied. Any use is at your own risk.