Search code examples
powershellloggingevent-viewer

Export Critical, Warning and Errors events from Windows Logs

I'm using most of the script from here.https://kb.webspy.com/s/article/windows-event-logs-and-powershell

However, I was wondering if there is a way only export Critical, Warning and Errors events. I know those events levels are 1-3

Get-WinEvent -FilterHashTable @{LogName = "System"; Level=1,2,3; StartTime=((Get-Date).AddDays(-7))} -ComputerName "server1" #| Out-GridView

I was just wondering where to add the level to this script.

# Logs to extract from server
$logArray = @("System","Security","Application")

# Grabs the server name to append to the log file extraction
$servername = $env:computername

# Provide the path with ending "\" to store the log file extraction.
$destinationpath = "C:\WindowsEventLogs\"

# Checks the last character of the destination path.  If it does not end in '\' it adds one.
# '.+?\\$' +? means any character \\ is looking for the backslash $ is the end of the line charater
if ($destinationpath -notmatch '.+?\\$')
{
    $destinationpath += '\'
}

# If the destination path does not exist it will create it
if (!(Test-Path -Path $destinationpath))
{
    New-Item -ItemType directory -Path $destinationpath
}

# Get the current date in YearMonthDay format
$logdate = Get-Date -format yyyyMMddHHmm

# Start Process Timer
$StopWatch = [system.diagnostics.stopwatch]::startNew()

# Start Code
Clear-Host

Foreach($log in $logArray)
{
    # If using Clear and backup
    $destination = $destinationpath + $servername + "-" + $log + "-" + $logdate + ".evtx"

    Write-Host "Extracting the $log file now."

    # Extract each log file listed in $logArray from the local server.
    wevtutil epl $log $destination

}

# End Code

# Stop Timer
$StopWatch.Stop()
$TotalTime = $StopWatch.Elapsed.TotalSeconds
$TotalTime = [math]::Round($totalTime, 2)
write-host "The Script took $TotalTime seconds to execute."
Solution

  • It seems like the code is using wevtutil to retrieve information about event logs.

    wevtutil epl $log $destination

    From the documentation wevtutil also accept different options and one of which is /q:<Query>.

    Defines the XPath query to filter the events that are read or exported. If this option is not specified, all events will be returned or exported. This option is not available when /sq is true.

    So you could create a Xpath query to apply filter based on event levels

    wevtutil epl $log $destination /q:"*[System[(Level=1 or Level=2 or Level=3)]]"