Authentication is single sign-on, so you'll likely need to log on locally as a Domain Admin in order to dump any log from any remote machine in your domain. Target machine must be Windows 2000 or later, running the Windows Management Instrumention (WMI) service, without firewall restrictions for the necessary RPC traffic. DumpHex implies /V and will also dump insertion strings and any binary attachments. V for verbose output with entry message text. All will dump all the event logs, whatever their names are (not limited to System, Security and Application). "Logname(s)" is a comma-separated list of event log names to be dumped (not case sensitive).
Target is the name or IP address of the system from which to extract event log data.įile.csv is the name or full path to a text file, to which the extracted data will be appended. DumpEventLog.vbs target file.csv "logname(s)" ĭumpEventLog.vbs target file.csv /all In a command shell, run " cscript.exe dumpeventlog.vbs /?" to see the help for the script. The zip contains many other folders and scripts as well that I hope you will find useful. The script is named "DumpEventLog.vbs" and is located in the VBScriptEventLogs folder inside the scripts zip file.
You can get the script from the SEC505 zip file in the Downloads area of this blog. (If you want a PowerShell version of the script, I'll get around to it eventually!) In the zip file with the script are some sample batch scripts for extracting events of different types. The intent of the script is to be able to consolidate event log data from multiple machines at one location for local analysis using PowerShell, grep, Excel or whatever your favorite tools are, then to compress the CSV files with gzip for archival.
There are a number of tools available for dumping Windows event logs to text files, but there always seems to be a problem or missing data or weird formatting or license issues or.