locked
WEVTUTIL Tool - Cannot export log file RRS feed

  • Question

  • Hello, 

    I need to be able to export an Operations Log to a file, Using a command line, or VBS.  My limitation is an old Deployment Console that I will be using to gather the log file.

    Using WEVTUTIL at the command line, I can use the following syntax and get output for: 

    wevtutil epl System C:\System.evtx

    But similarly cannot use:

    wevtutil epl "Microsoft-Windows-Diagnostics-Performance/Operational" "c:\Microsoft-Windows-Diagnostics-Performance/Operational.evtx"

    I've also tried (ASCII Equivalent):

    wevtutil epl "Microsoft-Windows-Diagnostics-Performance%4Operational" "c:\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx"

    Is there any way I can export this file?

    Friday, September 5, 2014 11:19 PM

Answers

  • Jason

    This will create a file named Event.txt on the Desktop:

    Using an elevated Command Prompt, copy and paste or type wevtutil qe Microsoft-Windows-Diagnostics-Performance/Operational /f:text > %userprofile%\Desktop\Event.txt (note the five spaces in the command) and press Enter.


    Ninety-nine per cent of politicians give the rest a bad name.


    • Edited by BurrWalnut Saturday, September 6, 2014 7:13 AM
    • Proposed as answer by Cloud_TS Monday, September 8, 2014 6:33 AM
    • Marked as answer by Jason Nimz Monday, September 8, 2014 6:52 PM
    Saturday, September 6, 2014 7:11 AM

All replies

  • Jason

    This will create a file named Event.txt on the Desktop:

    Using an elevated Command Prompt, copy and paste or type wevtutil qe Microsoft-Windows-Diagnostics-Performance/Operational /f:text > %userprofile%\Desktop\Event.txt (note the five spaces in the command) and press Enter.


    Ninety-nine per cent of politicians give the rest a bad name.


    • Edited by BurrWalnut Saturday, September 6, 2014 7:13 AM
    • Proposed as answer by Cloud_TS Monday, September 8, 2014 6:33 AM
    • Marked as answer by Jason Nimz Monday, September 8, 2014 6:52 PM
    Saturday, September 6, 2014 7:11 AM
  • Thanks BurrWalnut, 

    That will certainly work, and I've thought of using that, but I have to present this particular log file for legal counsel, so I was asking after a way to export the log in tact (as one would with System, Application, Security).  I don't want the opposing counsel to come back with "The file is not in native format and could have been tampered with".


    Monday, September 8, 2014 3:24 PM
  • Jason

    Alternatively, you could copy the whole of the folder C:\Windows\System32\winevt\Logs. The individual logs are date/time stamped which, even to the eyes of a ’normal untrusting’ lawyer, should be evidence that no tampering has taken place.


    Ninety-nine per cent of politicians give the rest a bad name.

    Monday, September 8, 2014 5:21 PM
  • Thanks
    Monday, September 8, 2014 6:52 PM