Written by Luke

How to backup/export an event log to an evtx file with PowerShell

First of all, you must locate the event log you want to export among all others.
For this, you can use the Get-WmiObject cmdlet to list them all. Additionally, you can narrow down your list with the Where-Object cmdlet.

Get-WmiObject -Class Win32_NTEventlogFile | Where-Object LogfileName -Match 'system'

Then you can assign your file to a variable and use the BackupEventlog method.
For example, if I want to export or backup the System event log.

$log = Get-WmiObject -Class Win32_NTEventlogFile | Where-Object LogfileName -EQ 'system' $log.BackupEventlog('e:\temp\system.evtx')

Oneliner bonus

But as I just explained on StackOverflow you can also perform the whole operation as a oneliner and you will get the same result.

(Get-WmiObject -Class Win32_NTEventlogFile | Where-Object LogfileName -EQ 'System').BackupEventlog('E:\Temp\System.evtx')

2 thoughts on “How to backup/export an event log to an evtx file with PowerShell

    1. Hi Manfred!
      This WMI object is only intended to handle the whole log file and not its content.
      Thus if you want to filter events inside you have to use other methods like the Get-Winevent cmdlet, but then you can unfortunately not export it in an EVTX format.

      Like

      Reply

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s