ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to Export Windows Event Logs with WinRS Client

book

Article ID: 161293

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

 You need to export Windows Event Logs but also need them to have the human readable format of hostnames, usernames, groups, etc.

Cause

 If you export the logs from the Event Viewer the hostnames, usernames, groups and other objects are GUID's which are not useful when looking through the logs.

When exported using the WinRS client, Windows does the translations and exports the data with the human readable values.

Resolution

 You must be logged in with a Domain Account which has Local Administrator privileges to run the commands for exporting the appropriate Windows Event Logs.

  1. To run the commands, open a command prompt with Administrator privileges.
  2. Run the command winrm quickconfig
  3. Answer y to continue

Run the commands below.
Note: these commands only export the 500 most recent events.  If you need more, increase the number following "/c:".

  • Application Logs
    C:Windows\System32\winrs.exe -r:http://127.0.0.1:5985 -u:[email protected] -p:PASSWORD "wevtutil qe application /c:500 /rd:true /f:text" >> application_log.txt
     
  • Security
    C:Windows\System32\winrs.exe -r:http://127.0.0.1:5985 -u:[email protected] -p:PASSWORD "wevtutil qe security /c:500 /rd:true /f:text" >> security_log.txt
     
  • System
    C:Windows\System32\winrs.exe -r:http://127.0.0.1:5985 -u:[email protected] -p:PASSWORD "wevtutil qe system /c:500 /rd:true /f:text" >> system_log.txt
     

Remove the listener created with the winrm quickconfig command ran in Step #2 above.

In the command prompt with Administrator privileges run the command winrm delete /winrm/config/Listener?Address=*+Transport=HTTP