How to Export Windows Event Logs with WinRS Client
search cancel

How to Export Windows Event Logs with WinRS Client


Article ID: 161293


Updated On:


Control Compliance Suite Windows


 You need to export Windows Event Logs but also need them to have the human readable format of hostnames, usernames, groups, etc.


 If you export the logs from the Event Viewer the hostnames, usernames, groups and other objects are GUID's which are not useful when looking through the logs.

When exported using the WinRS client, Windows does the translations and exports the data with the human readable values.


 You must be logged in with a Domain Account which has Local Administrator privileges to run the commands for exporting the appropriate Windows Event Logs.

  1. To run the commands, open a command prompt with Administrator privileges.
  2. Run the command winrm quickconfig
  3. Answer y to continue

Run the commands below.
Note: these commands only export the 500 most recent events.  If you need more, increase the number following "/c:".

  • Application Logs
    C:Windows\System32\winrs.exe -r: -u:[email protected] -p:PASSWORD "wevtutil qe application /c:500 /rd:true /f:text" >> application_log.txt
  • Security
    C:Windows\System32\winrs.exe -r: -u:[email protected] -p:PASSWORD "wevtutil qe security /c:500 /rd:true /f:text" >> security_log.txt
  • System
    C:Windows\System32\winrs.exe -r: -u:[email protected] -p:PASSWORD "wevtutil qe system /c:500 /rd:true /f:text" >> system_log.txt

Remove the listener created with the winrm quickconfig command ran in Step #2 above.

In the command prompt with Administrator privileges run the command winrm delete /winrm/config/Listener?Address=*+Transport=HTTP