Need Help Exporting Windows 2012R2 Application, System, and Security Event Logs to Excel in Table Format
Need help Exporting Windows 2012R2 Application, System, and Security Event Logs to Excel in Table format for Sort and Filtering on all Data Fields.
I've already tried to Save as CSV, but this is still in a Format that doesn't allow filter sorting on the Data Fields i.e. SourcePort and DestPort as a Table.
I don't have access to the Server directly to run any PowerShell Scripts either since I've performed a "Save As" .EVTX of the Server Security Event Log and am analyzing it offsite. I've opened the .EVTX on a Windows 7 Client and Filtered on Event ID is 5152, and done another Save As for the Filtered 5152 Events, but I need to narrow the results further using additional criteria of SourcePort OR DestPort 5033. Excel .XLSX would be my preferred method to filter sort the Data since I've not been able to construct a XPATH Manual Query that works.
I've already tried to Save as CSV, but this is still in a Format that doesn't allow filter sorting on the Data Fields i.e. SourcePort and DestPort as a Table.
I don't have access to the Server directly to run any PowerShell Scripts either since I've performed a "Save As" .EVTX of the Server Security Event Log and am analyzing it offsite. I've opened the .EVTX on a Windows 7 Client and Filtered on Event ID is 5152, and done another Save As for the Filtered 5152 Events, but I need to narrow the results further using additional criteria of SourcePort OR DestPort 5033. Excel .XLSX would be my preferred method to filter sort the Data since I've not been able to construct a XPATH Manual Query that works.
Rob Dyer
I haven't tried this but perhaps importing the .evtx file into a database (MS Access might work) then exporting to Excel.
ASKER
Never considered that Rob, but it's worth a try...
Thanks for the suggestion
Thanks for the suggestion
How about saving as a CSv file and then using a batch file and use something like findstr to specify the string you are looking for and then copying or printing just those records either to the screen or to a new file?
ASKER
Ok, I've attempted Access and CSV Options.
After going through the effort of installing Access and exporting/importing Event Logs as XML, Access wasn't capable of producing anything useful without a lot of extracurricular effort I was hoping to avoid.
CSV export was next up and while I'm able to produce CSV content with some limited utility the Port and IP information is embedded in a single cell with a lot of other data that would require more extracurricular effort to parse for Filter/Sort than I'm prepared to invest.
I've installed the SPLUNK Free Trial to see if that will provide the granularity I'm after without creating a custom solution. However, there is a limitation with importing an EVT or EVTX from another System that doesn't have SPLUNK which still leaves me with a gap for supporting external systems that I'm asked to analyze offline. Still haven't found what I'm looking for, but thanks for the suggestions.
Thanks for the suggestions, but I'm thinking SPLUNK is probably the way to go on this one.
After going through the effort of installing Access and exporting/importing Event Logs as XML, Access wasn't capable of producing anything useful without a lot of extracurricular effort I was hoping to avoid.
CSV export was next up and while I'm able to produce CSV content with some limited utility the Port and IP information is embedded in a single cell with a lot of other data that would require more extracurricular effort to parse for Filter/Sort than I'm prepared to invest.
I've installed the SPLUNK Free Trial to see if that will provide the granularity I'm after without creating a custom solution. However, there is a limitation with importing an EVT or EVTX from another System that doesn't have SPLUNK which still leaves me with a gap for supporting external systems that I'm asked to analyze offline. Still haven't found what I'm looking for, but thanks for the suggestions.
Thanks for the suggestions, but I'm thinking SPLUNK is probably the way to go on this one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.