none
Get-WinEvent -Path (multiple paths) RRS feed

  • Question

  • I am trying to export the Security and System event logs to csv. I am able to run these separately:

    Get-WinEvent -Path "C:\Users\ABC\Desktop\Automated Event Logs\Security.evtx" -FilterXPath "*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803)]]"
    
    Get-WinEvent -Path "C:\Users\ABC\Desktop\Automated Event Logs\System.evtx" -FilterXPath "*[System[(EventID=6005 or EventID=6006 or EventID=6008)]]"
    But I want to run them together so it is grouped cleanly in the CSV. Is there a way to use multiples paths and filterxpaths?

    Wednesday, August 26, 2015 4:55 PM

Answers

  • Looks like I got it to work like this:

    Get-WinEvent -Path "Security.evtx","System.evtx" -FilterXPath "*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=6005 or EventID=6006 or EventID=6008)]]" | Select TimeCreated, Id, Message | Export-Csv "Out.csv"

    • Marked as answer by UserDave Wednesday, August 26, 2015 5:56 PM
    Wednesday, August 26, 2015 5:42 PM

All replies

  • You want what together?  You cannot export one query to multiple files in the same command.

    If you want the EventIds grouped then you need to sort by eventID before outing to CSV.


    \_(ツ)_/



    • Edited by jrv Wednesday, August 26, 2015 5:05 PM
    Wednesday, August 26, 2015 5:02 PM
  • You can do this:

    $paths='C:\Users\ABC\Desktop\Automated Event Logs\Security.evtx','C:\Users\ABC\Desktop\Automated Event Logs\System.evtx'
    $filter='*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=6005 or EventID=6006 or EventID=6008)]]'
    Get-WinEvent -Path $paths -FilterXpath $filter

    Then add:  sort ContainerLog, ID


    \_(ツ)_/


    • Edited by jrv Wednesday, August 26, 2015 5:11 PM
    • Proposed as answer by jrv Wednesday, August 26, 2015 5:55 PM
    Wednesday, August 26, 2015 5:09 PM
  • When I run my current code, it gets split up. I want it to be all in one "table"/flat-file so that it gets sorted by the TimeCreated field.
       ProviderName: Microsoft-Windows-Security-Auditing
    
    TimeCreated                     Id LevelDisplayName Message                                                                                                                                                        
    -----------                     -- ---------------- -------                                                                                                                                                        
    08/26/2015 8:01:57 AM         4801 Information      The workstation was unlocked....                                                                                                                               
    08/25/2015 4:39:31 PM         4803 Information      The screen saver was dismissed....                                                                                                                             
    08/25/2015 4:39:29 PM         4802 Information      The screen saver was invoked....                                                                                                                               
    
    
       ProviderName: EventLog
    
    TimeCreated                     Id LevelDisplayName Message                                                                                                                                                        
    -----------                     -- ---------------- -------                                                                                                                                                        
    08/21/2015 4:30:02 PM         6005 Information      The Event log service was started.                                                                                                                             
    08/21/2015 4:27:34 PM         6006 Information      The Event log service was stopped.                                                                                                                             
    08/14/2015 4:31:01 PM         6005 Information      The Event log service was started

    Wednesday, August 26, 2015 5:18 PM
  • Get-Logs{
        Get-WinEvent -Path "C:\Users\ABC\Desktop\Automated Event Logs\Security.evtx" -FilterXPath "*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803)]]"
        Get-WinEvent -Path "C:\Users\ABC\Desktop\Automated Event Logs\System.evtx" -FilterXPath "*[System[(EventID=6005 or EventID=6006 or EventID=6008)]]"
    }
    
    Get-Logs
    


    \_(ツ)_/


    • Edited by jrv Wednesday, August 26, 2015 5:40 PM
    Wednesday, August 26, 2015 5:39 PM
  • Looks like I got it to work like this:

    Get-WinEvent -Path "Security.evtx","System.evtx" -FilterXPath "*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=6005 or EventID=6006 or EventID=6008)]]" | Select TimeCreated, Id, Message | Export-Csv "Out.csv"

    • Marked as answer by UserDave Wednesday, August 26, 2015 5:56 PM
    Wednesday, August 26, 2015 5:42 PM