Here's a little background. I'm trying to read in .evt files with LogParser, but I'm getting a message saying that the file is corrupted. After some reading, it turns out it most likely has to do with the fact that I'm using Windows 7.
Here's my question. I want to take a .evt file and convert it to .evtx. Problem is, the file is from another machine, so I can't use a command like:
wevtutil epl application.evt application.evtx /lf:true
So what I need to do is something like:
wevtutil epl c:\evt\testlog.evt c:\evt\testlog.evtx /if:true
If I try to run the above, I get a message saying "Invalid option if. Option is not supported. The parameter is incorrect."
Note that I can't use the Windows event viewer to just "save as". I must do this via CLI.
What am I missing?
As grandpa would say, "I fingered it out". I had to run wevtutil IN THE DIRECTORY where the .evt files reside. So the command looks like this:
wevtutil epl testlog.evt testlog2.evtx /lf
Hopefully this helps some other poor soul.