How to dump events from Windows event logs ?

From event viewer eventvwr (GUI) you can export events in a log file. EventcombMT as well.

You can use eventwatchnt, eventsentry (GUI) from http://www.netikus.com

How to store events on SQL table: https://blog.netnerds.net/2013/03/importing-windows-forwarded-events-into-sql-server-using-powershell/

How to export forwarded events using get-winevent:

cls
write-host “Dump Quest ARS Forwarded Events (only the last hour)”
$date = Get-Date -Format ddMMyyyy
$log = “.\logs\Dump-QARS-ForwardedEvents-” + $date + “.txt”

$xml = ‘<QueryList>
<Query Id=”0″ Path=”ForwardedEvents”>
<Select Path=”ForwardedEvents”>*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[timediff(@SystemTime) <= 3600000]]]</Select>
</Query>
</QueryList>’

$events = Get-WinEvent -FilterXml $xml | Select-Object ID, LevelDisplayName, LogName, MachineName, Message, ProviderName, RecordID, TaskDisplayName, TimeCreated

write-output $events >> $log

Write-host “”

To dump events from the command line you can use:

1) psloglist from www.microsoft.com/sysinternals

ex: psloglist -a 01/12/15 application -n 5 ; in this example I export the last 5 events from 12th Jan 2015 located on application event log.

ex: psloglist -a 01/12/15 -w -x security ; in this example I export new security events coming with extended data

ex: psloglist -a 01/12/15 application -n 5 -s -t “\t” > c:\temp\output.txt ; in this example I exported the last 5 application events on one line separated by tabulation and redirected to an output file. After that I can open the output.txt in Excel.

same example but using a specific event ID: psloglist -i 851 security -s -t “\t” > c:\temp\output.txt

other example:

@echo off

for /f “tokens=1,2,3,4* delims=/ ” %%i in (‘date /t’) do set TDDAY=%%i&set TDMM=%%j&set TDDD=%%k&set TDYY=%%l
for /f “tokens=1* delims=:” %%i in (‘time /t’) do set HH=%%i&set MM=%%j
echo.
echo Starting EDM server log dump (please wait it takes time)…
psloglist -accepteula \\server01,server02 -a %1 “EDM Server” -x -s -t “\t” >.\logs\Dump-Log_%TDDD%%TDMM%%TDYY%.txt

2) using wevtutil: http://technet.microsoft.com/en-us/magazine/dd310329.aspx

http://blogs.technet.com/b/server_core/archive/2006/09/25/458931.aspx

http://chentiangemalc.wordpress.com/2011/01/25/script-to-collect-all-event-logs-off-a-remote-windows-7-server-2008-machine/

3) Using powershell:

http://blogs.technet.com/b/heyscriptingguy/archive/2012/05/29/use-powershell-to-perform-offline-analysis-of-security-logs.aspx

http://social.technet.microsoft.com/Forums/en-US/50a35371-cb85-443e-8712-2fd3faf90b12/powershell-command-to-search-event-logs-date-time-and-exclude-specific-event-ids?forum=winserverpowershell

http://social.technet.microsoft.com/Forums/windowsserver/en-US/504b9e2c-5619-4777-8acf-45f4679d7827/geteventlog-and-remote-computers?forum=winserverpowershell

4) using logparser:

https://mlichtenberg.wordpress.com/2011/02/03/log-parser-rocks-more-than-50-examples/

http://www.orcsweb.com/blog/desiree/how-to-use-log-parser-to-query-event-log-data/