Tuesday, August 17, 2010

Convert Windows 2003/XP event logs (.evt file) to Vista/7/2008 event logs (.evtx file)

Recently had to convert a slew of Windows 2003/XP .evt files to Vista/7/2008 .evtx files so I could do some offline log analysis.  First problem was that some of the .evt files were corrupt.  They’d been directly copied off of running Windows 2003 servers (from the %SystemRoot%\System32\Config) to a local drive.  I used fixevt to fix the logs and a powershell script wrapper around wevtutil to convert them.
After downloading fixevt the repair and conversion came down to two simple commands in powershell:
fixevt *.evt
Get-ChildItem . -recurse -include "*.evt" | foreach-object {wevtutil epl $_.FullName ($_.FullName + "x") /lf:true}

You can also use wevtutil to trim down an evtx file to a specific date range. For example:

wevtutil.exe epl Security Test.evtx /q:"*[System[TimeCreated[@SystemTime>='2010-11-01T05:00:01.000Z' and @SystemTime>='2010-11-11T05:59:59.999Z']]]"

Will output the Security log events between 1 Nov 2010 and 11 Nov 2010.

You'll need to substitute actual > and < for the &gt and &lt.   Also, note that the time is in Zulu.  The times in evtx files are in Zulu the event viewer and many other event apps tend to translate the time into local time

Now off to the fun of event correlation….