Cyber Defense

Dump Windows Event Logs To CSV Text Files (VBScript)

There are a number of tools available for dumping Windows event logs to text files, but there always seems to be a problem or missing data or weird formatting or license issues or...something!

This DumpEventLog.vbs script hopefully is better or at least sucks less, it's features are:

  • Writes output to well-formed CSV text file (one line per log entry, crazy Microsoft formatting cleaned out).
  • Works against local and remote systems running Windows 2000 or later (if you have admin privileges).
  • Can output all the data from each log entry, even the "insertion strings" and binary attachments (in hex).
  • Dump one, some or many event logs on a system by name, or use /all switch to dump them all.
  • Events from all the logs are first sorted by time to maintain chronology, then appended to the CSV file.
  • CSV data can be directly opened in a spreadsheet or easily imported into a database.
  • Script uses asynchronous WMI queries (SWebmSink object) so it's relatively fast for not being a binary.
  • Written in VBScript, so it's easy to edit if you want to change the output or otherwise modify it.
  • Public domain, do with it as you wish!

The intent of the script is to be able to consolidate event log data from multiple machines at one location for local analysis using PowerShell, grep, Excel or whatever your favorite tools are, then to compress the CSV files with gzip for archival. In the zip file with the script are some sample batch scripts for extracting events of different types. (If you want a PowerShell version of the script, I'll get around to it eventually!)

The script is in the public domain. You can get the script from the SEC505 zip file in the Downloads area of this blog. The script is named "DumpEventLog.vbs" and is located in the VBScriptEventLogs folder inside the scripts zip file. The zip contains many other folders and scripts as well that I hope you will find useful.

Switches

In a command shell, run "cscript.exe dumpeventlog.vbs /?" to see the help for the script.

DumpEventLog.vbs target file.csv "logname(s)" [/clear] [/v] [/dumphex]
DumpEventLog.vbs target file.csv /all [/clear] [/v] [/dumphex]

Target is the name or IP address of the system from which to extract event log data.

File.csv is the name or full path to a text file, to which the extracted data will be appended.

"Logname(s)" is a comma-separated list of event log names to be dumped (not case sensitive).

/All will dump all the event logs, whatever their names are (not limited to System, Security and Application).

/Clear will clear each log afterwards.

/V for verbose output with entry message text.

/DumpHex implies /V and will also dump insertion strings and any binary attachments.

Target machine must be Windows 2000 or later, running the Windows Management Instrumention (WMI) service, without firewall restrictions for the necessary RPC traffic. Authentication is single sign-on, so you'll likely need to log on locally as a Domain Admin in order to dump any log from any remote machine in your domain. If you schedule the script, it must run under the context of an account (probably a global account) with the necessary privileges to extract/clear the Security event log.

(On a side note, the script was originally written for a scripting course for the sake of discussing WMI, synchronous vs. asynchronous WMI queries, regular expressions, and how to use a connectionless recordset with ADO, so you might find the badly-written code interesting if you're learning VBScript.)

The Batch Scripts

The other batch scripts in the zip download, such as Last_50_Failed_Logons_In_Excel.bat, are simply to demo how fast and convenient it is to analyze event log data from the command line using free tools like findstr.exe, grep.exe, tail.exe, etc. Run the AutoDumpAndClearEventLogs.bat first on a test machine to get rolling.

Download the SEC505 zip file from the Downloads page of this blog, then look in the VBScriptEventLogs folder inside the zip.

[Updated 17.Nov.09: Script changed to more aggressively clean out unicode characters which cause problems in 64-bit Windows.]

42 Comments

Posted September 15, 2009 at 3:00 PM | Permalink | Reply

Robert Lindholm

Hello:
First of all, let me say THANK YOU for creating this script; I have been looking for a tool like this now for some time and it will be VERY helpful in maintaining the event logs on the systems I manage.
However, I'm running into a problem [below] retrieving the event logs from remote hosts; I realize this is most likely an "as is" scenario without any formal support, but if you can make any suggestions regarding this issue or point me in the direction of a forum I can post this too, I would greatly appreciate it.
>>>>>> ERROR: Problem executing WMI query to select data.
Error Number: -2147023174
Description: The RPC server is unavailable.
Error Source: SWbemServicesEx
Script Name: dumpeventlog.vbs
Thanks again,
Bob

Posted September 16, 2009 at 2:48 PM | Permalink | Reply

Jason Fossen

Hi Robert:
I'd check a few things, many of which you've probably already done: 1) WMI service is running at the target box, 2) target box is a member of the forest and the logon account under which you are running the script is a member of the local Administrators group on the target box, 3) there are no local or remote firewall rules blocking the RPC traffic, 4) WMI or RPC security settings aren't different on the target box than your other servers where the script is working, and 5) that there aren't other WMI- or RPC-related errors in the event logs of the target box. You can also try remotely connecting with Microsoft's WMIC.EXE and WBEMTEST.EXE tools to see what errors are produced. There's also a bunch of WMI* scripts in the scripts.zip file in the Downloads page of this blog which can be used to test/interact with WMI in order to stir up more detailed errors and event log messages. Microsoft also has some WMI troubleshooting guidance on their web site.

Posted March 10, 2014 at 8:02 PM | Permalink | Reply

Charles

Hello,
Is there an easy way to modify the script to only grab the last X number of days worth of logs?
I have tried doing a check before writing to the CSV file and I have tried modifing the Query. So far no luck.
Thank you,
Charles

Posted September 24, 2009 at 2:29 PM | Permalink | Reply

Robert Lindholm

Jason:
Sorry for the delayed response; I'll look into your recommendations above and thanks for getting back to me on this issue, I appreciate it.
Bob

Posted October 9, 2009 at 2:11 PM | Permalink | Reply

cori

exactly what I was needing right when I needed it. Thanks!

Posted October 11, 2009 at 10:48 AM | Permalink | Reply

Joel

HI there,
Between servers works great but when triyng between XP Workstations or server to workstations I get ERROR: problem writing to file. Error Number 5, Invalid Procedure''

Posted October 18, 2009 at 12:47 PM | Permalink | Reply

Jason Fossen

Hi Joel:
This is most likely an NTFS permissions problem: please make sure you have Full Control on the folders/files where you are saving the output and confirm that you have local Administrators rights on the boxes.

Posted November 15, 2009 at 4:36 AM | Permalink | Reply

Eric Backer

Thank you Jason for taking the time to write this helpful little script. I tried running it on Windows 7 Ultimate x64 and get this error:
>>>>>> ERROR: Problem connecting to WMI on target
Error Number: 451
Description: Object not a collection
Error Source: Microsoft VBScript runtime error
Script Name: dumpeventlog.vbs
Is this an incompatibility with Seven?

Posted November 17, 2009 at 8:50 PM | Permalink | Reply

Jason Fossen

Hi Eric Backer:
Script runs fine on Windows 7 and Server 2008-R2 in my testing, so your error is most likely related to 1) generic networking problems, 2) RPC or WMI service problems at target, such as firewall issues, or 3) lack of admin privileges on target box (you should be logged on with a global user account that is a member of the local Administrators group at the target). Hope this helps!

Posted November 20, 2009 at 4:19 PM | Permalink | Reply

corey

hi i am using the clear script in a batch file i was woundering if their was any way to get the result of the program back to the batch file so i can check if the program succesfully cleared logs or not
currently i have
cscript.exe DumpEventLog.vbs localhost eventLogs.csv /all /clear
IF EXIST "eventLogs.csv" del "eventLogs.csv"
IF NOT EXIST "eventLogs.csv" Echo All logs cleared
IF EXIST "eventLogs.csv" Echo All logs have not been cleared ''" Please manually clear logs
but i want to ensure the logs have been clear and no just the csv file

Posted November 20, 2009 at 9:07 PM | Permalink | Reply

Jason Fossen

Hi Corey:
If you only want to clear a log, you might instead use free tools like wevtutil.exe or psloglist.exe (Google on those names for more info). These tools can do other very useful things too, including dumping log data.

Posted December 1, 2009 at 9:37 AM | Permalink | Reply

AP

Hi,
Thanks for this script!. However, on our server (w2k3) date when event is being generated was exported not correctly ''" it showed future dates when that was not possible ''" changed GetDate function and passed MM/DD/YYYY to DateValue instead of MM/DD/YY.

Posted December 1, 2009 at 2:24 PM | Permalink | Reply

Jason Fossen

Hi AP:
Interesting, I've never seen that problem myself or had anyone else report it. However, your suggested change to the script doesn't alter the script's output in my testing, and I don't see how it could negatively affect anyone currently using the script, so I've incorporated your change just in case. I've uploaded the new version to the blog. Thank you!

Posted December 2, 2009 at 4:49 PM | Permalink | Reply

Derek

Hi, I'm new to scripting but yours is exactly what I was looking for! Thanks! Works well on my local machine, but when I try to run it from my machine (logged in as a domain admin) to another machine on my network, I get this error:
I type: (i put a fake IP for here, also tried the computer name)
cscript dumpeventlog.vbs 0.0.0.0 test.csv application
and I get:
Error: Problem executing WMI query to select date.
Error Number: -2147024891
Description: Access is denied.
Error Source: SWbemServicesEx
Script Name: dumpeventlog.vbs
Any ideas?
Thanks,
Derek

Posted December 3, 2009 at 12:45 PM | Permalink | Reply

Jason Fossen

Hi Derek:
It looks like WMI permissions have been changed at the target machine. You may have to poke around in Administrative Tools > Computer Management > Services and Applications > WMI Control > properties > Security. Also, see if the event logs at the target machine can be made to show something useful. Good luck!

Posted December 7, 2009 at 5:04 PM | Permalink | Reply

Jeff J

Script works beautifully. had some troubles getting the firewall to allow the traffic through, but works perfectly.
Thanks

Posted March 5, 2010 at 3:47 AM | Permalink | Reply

brent

do you have this in TAB type format

Posted March 6, 2010 at 10:33 PM | Permalink | Reply

Jason Fossen

Hi Brent:
No, sorry, it only outputs in comma-delimited format, but you could edit the script or do a search-and-replace on its output afterwards (or open the CSV file in another program, like a speadsheet, then Save As tab-delimited instead). JF

Posted March 9, 2010 at 5:12 PM | Permalink | Reply

Mike

Windows Vista says: "Run this with CSCRIPT.exe" What?

Posted March 16, 2010 at 6:17 AM | Permalink | Reply

Jason Fossen

Hi Mike:
Yes, this is a command-line script, so it's best to run the script with cscript.exe instead of wscript.exe. You can also change your default interpreter to cscript.exe using its "//h:cscript" argument. Cheers, JF

Posted April 15, 2010 at 6:34 PM | Permalink | Reply

Peter

Jason,
What an utterly fantastic piece of work you've done here!
Really really good. A proper implementation.
Respect.

Posted October 13, 2010 at 7:06 PM | Permalink | Reply

Rich Rumble

Can the insertion strings use tab's to separate their values inside a quotes? Event 4624 in the security log has one particular quirk in that it contains the ntlm version (ntlm v2 or v1) which is separated by a space, so it's hard to tell this string from all the others.. Perhaps it is an alternate insertion string already? NTLM being variable one and V1/V2 being variable 2 for the "Package Name (NTLM only):" line. If it's not two separate insertion strings, would it be possible to separate insertionstrings like so: "value(tab)value(tab)value(tab)"
Great script, I use it daily!
-rich

Posted October 14, 2010 at 1:40 AM | Permalink | Reply

Jason Fossen

Hi Rich: You can certainly edit your copy of the script to delimit with tabs, but I can't permanently change the script to do that, too many people already rely on the current single-space delimiter. Good luck!

Posted November 17, 2010 at 3:23 PM | Permalink | Reply

Matt

Great job on this handy tool. Is it possible to use it to dump the "ForwardedEvents" log? I tried several things to get it to process that one and had no luck. Not sure if I'm not doing something right or if it's a limitation of WMI or something. Thanks!

Posted December 2, 2010 at 12:44 AM | Permalink | Reply

Erik Dekker

Jason, your script is a model for layout and legibility. My compliments, well done.
While I ran the script, I noticed not all eventlogs are read. If, in sub ProcessEachLog, you change the Select statement to SELECT Logfile from Win32_NTLogEvent and read all events for their logfile, then you got them all.
Unfortunately, only your collection of LogfileNames supports the method ClearEventLog, so not all eventlogs can be cleant. I added snCleaned which is originally filled with the bigger collection of eventlogs and everytime an eventlog is cleaned, the eventlogname plus trailing comma is replaced by a zero string.

Posted December 2, 2010 at 10:56 AM | Permalink | Reply

Tim

Just wanted to pass on my thanks for this VB, its solved a problem I was having with looking at how often users were accessing a IIS service I have set up, and with handles, it works perfectly, just import into SQL DB, and take it from there.

Posted February 2, 2011 at 10:36 PM | Permalink | Reply

Nancy

This is incredible, thank you!!! I've been looking for something for a little bit that would make the log collection alot easier.

Posted March 30, 2011 at 8:12 PM | Permalink | Reply

Chris Meyer

Nice program. There is a little date problem though. We have both Windows 2003 server and 2008 R2 and dump events from both into a MYSQL database.. Well, it turns out that the 2008 boxes return UTC while the 2003 servers return local time in the csv files:-( What a pain in the posterior''

Posted April 18, 2011 at 11:16 PM | Permalink | Reply

Joel

Excellent work!
However, I also get the dates from the future, for example, right now a log is showing entries for November, 2011 dumped remotely for XP SP3. How can i change GetDate?
Tested on my local system with around 20 entries, all were correct. Remotely on 44,000 entries and I get future dates towards the end

Posted August 11, 2011 at 1:51 PM | Permalink | Reply

Nick Meaney

Is there any way of using this script to extract failed logons from a multiple forest domain, 1 place name and 3 child domains?
Would make my request from the projects team a whole lot easier. can either use individual domain accounts or an enterprise account.
Please advise and thank you in advance.
Nick

Posted February 17, 2012 at 3:49 AM | Permalink | Reply

Tim

First of all thank you so much for creating this script. Awesome time saver. However, I am trying to run the batch file from a scheduled task on Windows Server 2008 R2. The task scheduler says it ran successfully however it does not create the .csv file (the logs do get cleared). If I manually run the batch file by double clicking it, the .csv file is created. My batch file contains:
cscript.exe DumpEventLog.vbs %COMPUTERNAME%

Posted February 23, 2012 at 9:58 PM | Permalink | Reply

Jason Fossen

Hi Tim:
Check out the command-line switches for the script, e.g., "cscript.exe DumpEventLog.vbs /?". There's more than just the computername which needs to be entered.
Cheers,
Jason

Posted March 10, 2012 at 8:35 PM | Permalink | Reply

David

Would it be possible to use this against an archive of *.evt files instead of targeted a system?

Posted March 10, 2012 at 10:34 PM | Permalink | Reply

Jason Fossen

Hi David:
Unfortunately not, the script cannot parse log files directly, the script goes through the WMI service.
Cheers,
Jason

Posted April 13, 2012 at 2:11 PM | Permalink | Reply

Aleksey

Hello Jason,
The script is very good.
Question for you: is there a way to limit the output to a certain number of days rather then dumping the whole context?
My goal:
schedule the script to collect critical, warning and errors from System log for all servers on the weekly, by-weekly or monthly basis
I do realize that a workaround would be to clean the event log every time I run the utility but I don't want to do that.
Is there a way to dump just the last 30 days or something like that?

Posted April 13, 2012 at 2:59 PM | Permalink | Reply

Jason Fossen

Hi Aleksey:
Sorry, no, not with this script. My intention was to make the output as easy to filter/grep/parse as possible, so the kind of filtering you want can be done after dumping the data to a CSV file, but not in the script itself (without major rewrites). The zip download contains a bunch of other BAT scripts to demo how the filtering can be done, but you can use whatever favorite language/tool you want of course.
Cheers,
Jason

Posted April 18, 2012 at 7:56 PM | Permalink | Reply

Mark B

Great script, but i am having real problems getting it to access the security log. even when i do a /ALL it doesnt seem to pick up any events from the security log
Have you managed to get it to work on that yet? if so what was your magic?

Posted April 19, 2012 at 4:55 PM | Permalink | Reply

Jason Fossen

Hi Mark:
If you're a member of the Administrators group, you should be able to dump the Security log too. I'd confirm your membership in that group.
Cheers,
Jason

Posted May 11, 2012 at 8:45 AM | Permalink | Reply

delu_23

Thank you. This information is very helpful to me.
Can I ask you a few questions?
1. I can't see other languages ''''than English in message column csv file. (computer column is good)
2. How do I change time in csv file to Local time ?

Posted May 12, 2012 at 2:45 AM | Permalink | Reply

Jason Fossen

Hi Delu:
This script merely outputs the data given to it by Windows, so changing the language or time zone isn't really possible with the script, that has to be done (somehow) in the OS.
Cheers,
J.

Posted March 10, 2014 at 2:42 PM | Permalink | Reply

Charles

Just wondering if there was a parameter for grabbing specific date range. I.e. that last 30 days?

Posted March 10, 2014 at 2:46 PM | Permalink | Reply

Charles

Hello,
I was just wondering if there was a parameter for exporting a specific date range. For Example, the last 30 days instead of the entire log file?
Thank you,
Charles

Post a Comment






Captcha


* Indicates a required field.