Windows: Export EventLog from command line

Hi,

Windows has a builtin command line utility to deal with Eventlogs: wevtutil

Some examples.

List all registered Eventlogs

D:\> wevtutil el

Export the System EventLog to a file

D:\> wevtutil epl System %temp%\%Computername%_System_log.evtx

Or the Remote Desktop EventLog to a file

D:\> wevtutil epl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational %temp%\%Computername%_rdp_log.evtx

Search the last 100 Entries in Application EventLog for an Event with ID 1704 as Text

D:\> wevtutil qe Application /q:"Event/System/EventID=1704" /c:100 /f:text

Michael

2 thoughts on “Windows: Export EventLog from command line”

how can i export specific event id in Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational via using epl command?

Hi Bab,

really straightforward

D:\> wevtutil  qe Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational /q:"Event/System/EventID=148"

or to file

D:\> wevtutil  epl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational /q:"Event/System/EventID=148"  %temp%\test.evtx

Michael

Michls Tech Blog