Export Event Viewer Alerts to CSV

Getting access denied error messages or requests to export event viewer logs to a csv or txt file?

I’ve got your back! In this post I am going to show you some simple Power Shell / cmd line techniques to export Event Viewer logs with minimal hassle.

A simple one time use example can be shown below

get-wmiobject -query “SELECT * FROM Win32_NTLogEvent WHERE (logfile=’System’)” | Export-Csv -path “C:\Test\PublicFolderStatistics.csv” -noType

Running this command will collect all the event logs where the log file = System and export it as a .csv to the file path – C:\Test\PublicFolderStatistics.csv

Other examples of the default Windows Logs you can choose from –

Windowslog event viewer

Received the dreaded red text? No problem!

Firstly check to make sure you are running the command with administrator privilege. (Right click Power Shell and choose ‘Run as administrator’)

If you are getting similar errors to the ones shown below – make sure you specify the name of the exported file and it’s file format (.txt or .csv etc), in addition to including a folder to store the exported file in.

“C:\Test\PublicFolderStatistics.csv” – is the correct way to input the file path.

As displayed below the file -path ‘C:\’ and ‘C:\PublicFolderStatisitcs.csv’ produce access Denied errors.

Event log export powershell errorImportant to Note – If you are exporting a lot of logs the command may take a while to complete. Wait until ‘PS C:\Directory of your shell’ appears again before opening your exported file.

An example of a successful CVS Export:

CSV Export

Export only specific event codes – In this case I have chosen the event code ‘10009’:

get-wmiobject -query “SELECT * FROM Win32_NTLogEvent WHERE (logfile=’System’) AND (EventCode=’10009′)” | Export-Csv -path “C:\Test\PublicFolderStatistics.csv” -noType

To export from multiple computers in one go  – you can input a collection of host names from a .txt document into a variable ($computers). In this case the host names are in the document ‘computer.txt’ Make sure to keep one host name per line.

$computers=get-content “C:\computers.txt”

foreach($computer in $computers)
{
get-wmiobject -query “SELECT * FROM Win32_NTLogEvent WHERE (logfile=’System’)” -computername $computer | export-csv “C:\Test\$computer.csv”
}

The script will grab each host name from the txt document and export it’s ‘System’ logs into individual .csv file named after the hostname.

Compter txt list

You can also look for specific events – by changing the ‘Where’ part of the Get-WmiObject query. For example like this

foreach($computer in $computers)
{
get-wmiobject -query “Select * from Win32_NTLogEvent WHERE (logfile= ‘System’) and (eventCode= 644) and (eventType=4)” -computername $computer | export-csv “C:\Test\$computer.csv” -NoTypeInformation
}

In PowerShell ISE your scripts should look similar to –

#Export event logs from multiple computers
$computers=get-content "C:\computers.txt"

foreach($computer in $computers)
{ 
 get-wmiobject -query "SELECT * FROM Win32_NTLogEvent WHERE (logfile='System')" -computername $computer | export-csv "C:\Test\$computer.csv" 
}
#Export specific event logs from multiple computers
foreach($computer in $computers)
{ 
 get-wmiobject -query "Select * from Win32_NTLogEvent WHERE (Logfile= 'System') and (EventCode= 644) and (EventType=4)" -computername $computer | export-csv "C:\Test\$computer.csv" -NoTypeInformation
}


 

Thanks for reading – feel free to follow and stay updated 🙂  View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s