1. Documentation
  2. Parsing Log Files
  3. Log Parsers
  4. Event Log Parser

Event Log Parser

The event log parser can be used to parse *.evtx files.  EVTX files are a proprietary binary file format provided by Microsoft.  As a binary format they are not human readable and sometimes a CSV format is preferred instead.

This documentation will cover both the Event Log Parser as well as a CSV file export.  Reading log entries directly from the Windows Event Log is also supported.  This is covered in the Windows Events documentation.

EVTX File Export

To export your event log entries as an EVTX file the first thing you need to do is open event viewer and select the log category that you want to export.   Next, right click on the target category and select "Save All Events As...".

When prompted enter a name for your new EVTX file and select "Event Files" as the saved type.

Finally click "Save" to export the event log entries.  The exported EVTX file can be opened in LogViewPlus immediately without any further configuration.

CSV File Export

To export your event log entries as a CSV file the first thing you need to do is open event viewer and select the log category that you want to export. Log entries will be exported as they appear in the log viewer grid. Changes made to column sorting will be preserved.

With your event viewer open right click on the target log category and select "Save All Events As...".

When prompted enter a name for your new CSV file and select "CSV (Comma Separated)" as the saved type.

Finally click "Save" to export the event log entries.

Before we open our new CSV log file in LogViewPlus, we need to configure the application so it can parse the CSV file.  To do this go to Settings -> Parser Mappings and click 'Add'.  In the parser configuration dialog enter a filename pattern which will match the file name given to your CSV file.  Next, set the parser type to DSV Parser and parser arguments to: 

%p,%d,%S{Source},%S{Event ID},%S{Task Category},%m%n

Click Save followed by OK to save the parser settings.

We are now ready to open the CSV export file we created earlier. Opening this file in LogViewPlus will show all of the exported events in the log entry grid. Any future CSV event log exports will need separate configuration if the filename patterns do not match.

< >

Chapters

Topics

Pages