From event viewer eventvwr (GUI) you can export events in a log file. EventcombMT as well.
You can use eventwatchnt, eventsentry (GUI) from http://www.netikus.com
How to store events on SQL table: https://blog.netnerds.net/2013/03/importing-windows-forwarded-events-into-sql-server-using-powershell/
How to export forwarded events using get-winevent:
cls
write-host “Dump Quest ARS Forwarded Events (only the last hour)”
$date = Get-Date -Format ddMMyyyy
$log = “.\logs\Dump-QARS-ForwardedEvents-” + $date + “.txt”
$xml = ‘<QueryList>
<Query Id=”0″ Path=”ForwardedEvents”>
<Select Path=”ForwardedEvents”>*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[timediff(@SystemTime) <= 3600000]]]</Select>
</Query>
</QueryList>’
$events = Get-WinEvent -FilterXml $xml | Select-Object ID, LevelDisplayName, LogName, MachineName, Message, ProviderName, RecordID, TaskDisplayName, TimeCreated
write-output $events >> $log
Write-host “”
To dump events from the command line you can use:
1) psloglist from www.microsoft.com/sysinternals
ex: psloglist -a 01/12/15 application -n 5 ; in this example I export the last 5 events from 12th Jan 2015 located on application event log.
ex: psloglist -a 01/12/15 -w -x security ; in this example I export new security events coming with extended data
ex: psloglist -a 01/12/15 application -n 5 -s -t “\t” > c:\temp\output.txt ; in this example I exported the last 5 application events on one line separated by tabulation and redirected to an output file. After that I can open the output.txt in Excel.
same example but using a specific event ID: psloglist -i 851 security -s -t “\t” > c:\temp\output.txt
other example:
@echo off
for /f “tokens=1,2,3,4* delims=/ ” %%i in (‘date /t’) do set TDDAY=%%i&set TDMM=%%j&set TDDD=%%k&set TDYY=%%l
for /f “tokens=1* delims=:” %%i in (‘time /t’) do set HH=%%i&set MM=%%j
echo.
echo Starting EDM server log dump (please wait it takes time)…
psloglist -accepteula \\server01,server02 -a %1 “EDM Server” -x -s -t “\t” >.\logs\Dump-Log_%TDDD%%TDMM%%TDYY%.txt
2) using wevtutil: http://technet.microsoft.com/en-us/magazine/dd310329.aspx
http://blogs.technet.com/b/server_core/archive/2006/09/25/458931.aspx
3) Using powershell:
4) using logparser:
https://mlichtenberg.wordpress.com/2011/02/03/log-parser-rocks-more-than-50-examples/
http://www.orcsweb.com/blog/desiree/how-to-use-log-parser-to-query-event-log-data/