This application exports records from Window event log. It works with either a live event log or archived event logs (*.evt). It can read live data from servers over the network.
It supports the "logtail mode" that enables the program to continue reading from where it left off last time it was runned. The logtail data is saved on per server/log basis, this means that each event log source (uniquely identified by the server and name) has its own private logtail data. The logtail data is saved in the registry.Output format:
The output can be formatted, reordered and filtered in a flexible manner, see the 'Format' notes below. The output file is written in unicode, so theres no problem with different character set.
This is more or less an dump of 'evlogexp --help':
evlogexp.exe - filter and export event log. Usage: evlogexp.exe [-t] [-i file] [-o file] [-e ids] [-s \\server] Option: -t: Run in logtail mode. -i file: Read archived event log (*.evt). -o file: Write to output file. -e str: Colon separated list of event IDs. -s \\server: Read event log from server. -f str: Output format, see format section. -FS char: Use char as field separator (defaults to tab). -RS char: Use char as record separator (defaults to newline). -F type: Filter on SID type, see notes section. -T type: Filter on event type, see types section. -l name: Dump from event log with name, i.e. -l System. -u,--utc: Use UTC timezone for date and time. -H,--header: Print format header on first line. -h,--help: Show this help. -V,--version: Show version info. -d,--debug: Enable debug. Notes: 1. Option -t cant be used together with -i. 2. Argument for option -F is a major:minor value, where major is between 1 and 10. Commonly used values are: 1: A user SID. 5: A SID for a well-known group. 9: A SID for a computer. Possible minor values depends on the major value, e.g. 5:13 will list all anonymous logons. Format: The argument for -f is one or more of: u: Print date/time as UNIX timestamps. S: Print severity (like Warning, Success, ...) t: Print event type. D: Print date on form yyyy-mm-dd. T: Print time on form hh:mm:ss. r: Print event log record number. I: Print event ID. U: Print username. L: Print user logon domain. f: Print fully qualified username (like L\U). s: Print event source. C: Print computer name. x: Print the SID string. d: Print description strings. A: Use all format descriptors (uStDTrIULfsCxd). a: Same as A, but without the uSd format descriptors. The default format string is: tDTsIUC Separator: The argument for -FS and -RS is either an character, an symbolic name or an hexadecimal string (character). The symbolic name defined are: al: alert (bell) (\a) bs: backspace (\b) ht: horizontal tab (\t) nl: new line (\n) vt: vertical tab (\v) ff: form feed (\f) cr: carriage return (\r) Example: -FS vt or -FS 0x09 Types: The argument for -t is either one of: error: Error event. failure: Failure Audit event. success: Success Audit event. info: Information event. warning: Warning event.