Export Event evtx Logs as CSV

[jlgandy2]

Would be nice to have the .evtx logs as CSV to put them in Excel to be able to use filtering like we can with the MSDT outputs.

[dl2n]

EVTX is the native format and for the purposes of the triage package itself, given how much of the package size comes from event channels, we would not want to inflate it further with additional renderings of the same information.

In any case, there isn’t a canonical conversion to CSV I can easily think of; each event is its own data schema.

It should be possible to post-process specific channels/events as you like. I’d be happy to iterate on sample code to do that if you have thoughts on what would be useful.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

---

From: jlgandy2 notifications@github.com Sent: Tuesday, November 27, 2018 10:52:38 AM To: PowerShell/PrivateCloud.DiagnosticInfo Cc: Subscribed Subject: [PowerShell/PrivateCloud.DiagnosticInfo] Export Event evtx Logs as CSV (#113)

Would be nice to have the .evtx logs as CSV to put them in Excel to be able to use filtering like we can with the MSDT outputs.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/PowerShell/PrivateCloud.DiagnosticInfo/issues/113, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIVpKc1wnQGBnRayAYXCkXRZKR9Baoi7ks5uzYn2gaJpZM4Y2Hwv.

[jlgandy2]

Yeah I see your point. Output size would be more, but still would love to see these event logs in CSV like the old tools SDP and MSDT. The evtx files take way too long to open one by one and require DLL's the client systems do not have to decode the Message data. Opening multiple evtx files to correlate them is near impossible with Message Analyzer it so slow. I have tried post processing with PowerShell get-WinEvent, but this is event worse from how long it takes to convert them. Logparser is by far the fastest to convert evtx to csv but it does not support the new roles like S2D and SDN. I even reached out to the original developer of Logparser to see if he could update it but he said "probably it's a new EventSource registration mechanism not supported by LogParser". Is there another solution? Could we add a switch if you wanted the evtx files converted to CSV you could add it and it would not be the default functionality?

[dl2n]

The current version of Get-Sddc pulls in the LocalMetadata for the event channels, so they should render the messages on any system (this is the wevtutil al/archive-log you’ll see in the module).

I’ve seen this light up in eventvwr.msc, Message Analyzer and from get-winevent. You should see the LM directory in the per-node directories; specifying path\to\the.evtx is enough to power up the event infrastructure to notice the presence of LM next to the EVTX and it Just Works.

I agree get-winevent is painfully slow. It’s the only thing I know we have access to within Get-Sddc; this is where Get-FilterXpath came from in the last release. Anything I can pre-filter that way is huge for performance. Anything that has to pop out of get-winevent seems to cost about 50-100ms per event to render.

I’m not aware of what logparser would need to do. My guess is that it has a canned schema for each event it renders, or a generic one that simply renders the event message and the event’s system properties?

We’re simply pulling a large number of inbox event channels.

We’d be happy to take a contribution that would render EVTX to CSV if it relies on inbox tools.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

---

From: jlgandy2 notifications@github.com Sent: Wednesday, November 28, 2018 1:37:09 PM To: PowerShell/PrivateCloud.DiagnosticInfo Cc: Dan Lovinger; Comment Subject: Re: [PowerShell/PrivateCloud.DiagnosticInfo] Export Event evtx Logs as CSV (#113)

Yeah I see your point. Output size would be more, but still would love to see these event logs in CSV like the old tools SDP and MSDT. The evtx files take way too long to open one by one and require DLL's the client systems do not have to decode the Message data. Opening multiple evtx files to correlate them is near impossible with Message Analyzer it so slow. I have tried post processing with PowerShell get-WinEvent, but this is event worse from how long it takes to convert them. Logparser is by far the fastest to convert evtx to csv but it does not support the new roles like S2D and SDN. I even reached out to the original developer of Logparser to see if he could update it but he said "probably it's a new EventSource registration mechanism not supported by LogParser". Is there another solution? Could we add a switch if you wanted the evtx files converted to CSV you could add it and it would not be the default functionality?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/PowerShell/PrivateCloud.DiagnosticInfo/issues/113#issuecomment-442613790, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIVpKQoi80-5e3sW7o8pFYiZ57N6EW1mks5uzwIFgaJpZM4Y2Hwv.

[jlgandy2]

Found the original script used by the MSDT and SDP tools to export evtx to CSV. The script name is GetEvents.VBS and was Author: Andre Teixeira - andret@microsoft.com. It uses wevtutil which is a native tool for exporting event logs to CSV or other formats. Does this help?

[dl2n]

I'm not familiar with how to do that, sorry.

---

From: jlgandy2 notifications@github.com Sent: Thursday, December 13, 2018 9:15 AM To: PowerShell/PrivateCloud.DiagnosticInfo Cc: Dan Lovinger; Comment Subject: Re: [PowerShell/PrivateCloud.DiagnosticInfo] Export Event evtx Logs as CSV (#113)

Is there a way to use the MTA files for the EVXT to CVS conversion?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/PowerShell/PrivateCloud.DiagnosticInfo/issues/113#issuecomment-447048548, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIVpKWGh5-Znj7AtA7L0nwCX7nsorkYGks5u4osUgaJpZM4Y2Hwv.