EvtLogParser
Updated to version: 1.0.0.5!
Lets say you have many exported EventLog (evt/evtx) files, and need to search for specific event entries on all of them. how do you do it?
Yes. Of course you can use Microsoft Log Parser 2.2 but then you have to write the cumbersome query yourself. bummer.
EvtLogParser to the rescue!
EvtLogParser uses the LogParser.dll from Microsoft Log Parser 2.2, and provides a simple UI for the query.
All you need to do, is drag-and-drop or right-click and select 
to add your files to the list, select the query filter using the query filter panel, and click Query.
Then, you’ll be able to see the query results in the grid view below.
Right-click to view a specific event, save it as a text file or export all the data to an XML file.
Note that Windows Vista, 7 and Server 2008 uses the new evtx format for event log exports.
Since Log Parser uses system APIs to read event log exports, and the old .evt event log format is not "native" any more on these OS’s you’ll probably get an error message saying "The event log file is corrupted".
So if you want to read evt files on Windows Vista, 7 or Server 2008, you should convert them old-school EventLog files into the shiny new format. You can accomplish this using any of the two methods described below:
1. Through the user interface
just double-click the evt file, wait for it to open, then right-click, select Save Event As, enter the location and filename, click Save and OK.
2. Using the Windows Events Command Line Utility (WevtUTIL)
It’s built in the OS and it’ll convert those old EventLog files from the command line:
wevtutil epl application.evt application.evtx /lf:true
Also, you can copy the text below into Notepad, save it with the .reg extension, and merge it into your registry.
After restarting your system, you’ll be able to right-click an .evt file and select the "Convert to evtx" option from the context menu.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\SystemFileAssociations\.evt]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.evt\shell]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.evt\shell\ConvertToEvtx]
@="Convert to evt&x"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.evt\shell\ConvertToEvtx\command]
@="\"wevtutil.exe\" epl \"%1\" \"%1x\" /lf:true"
Download EvtLogParser.1.0.0.5.zip
Please note it requires you to have at least .NET Framework 2.0 installed
Hello Martin, I’ve tryed to use your EvtLogParser… but I can’t open nothing! All file .evtx that I’ve tryed to open, give me this error:
Error executing query: Cannot open : Error openign event log “\\?\c:\[my path]“: Corrupted event file.
Offcourse, this evtx file are great and I’ve no problems to open it on vista/seven.
Could you help me?
Thank you.
Fix
And are you running the EvtLogParser on Vista/Win7?
Please read the section at the bottom of the post that sais: “Note that Windows Vista, 7 and Server 2008 uses the new evtx format for event log exports.
Since Log Parser uses system APIs to read event log exports, and the old .evt event log format is not “native” any more on these OS’s you’ll probably get an error message saying “The event log file is corrupted”. So if you want to read evt files on Windows Vista, 7 or Server 2008, you should convert them old-school EventLog files into the shiny new format.”
Hi Martin
Great replacement for the free EventCombMT from Microsoft. One feature I’d like to see is the ability to export ALL the discovered events. Is there a way to do this currently?
Of course there is!
just right-click the results grid and select the “Save all as XML” item from the context menu,
select where to save the xml file, and click save.
Duh! Thanks Martin!
Hello again Martin!
By any chance, is the EVT Logparser a multithreaded application like EventComb was?
Sorry for the late reply…
As for your question, No. EvtLogParser is not multithreaded. It queries all the evt(x) files in one thread.
Maybe in the future I’ll have the time to redesign it.
This app is awesome! I just had a few questions.
When I open multiple files, I’m not able to tell which log file the event was in. Can you add a column for the filename the event came from?
I know this adds a lot of complexity but how about the ability to change the window size?
An export all to .csv with column names would be nice, too.
I don’t know how difficult it would be but I would like to be able to see the raw query as a learning tool. A pipe to the clipboard, maybe?
I added some of the features you suggested
since I’m bulk-quering all evt(x) files, this is too much of a change right now.
1. Resize window – Done!
2. See the raw logparser query – Done! (double click the statusbar, or use the Help->Show Last Query menu item).
3. Export all to csv – Done! (just note that if the event message contains commas, the csv file will be jagged).
4. Add column for file name – Not done
Thanks for the feedback!
Martin.
The updates look good. Much improved.. I’m getting a .NET error on opening now.
Microsoft .NET Framework
Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. yadda, yadda, yadda…
String was not recognized as a valid DateTime.
This is on 2008 R2 with .NET 4.0. and on a 2003 SP2. Any ideas?
Hi Martin,
Fantastic tool… with regards to the CSV option – if you encase the values with quotation marks and use double-quotation marks where double-quotation marks are used then this will get around the jagged CSV effect.
Chris
Oh, btw.. Thanks for the quick response!
When are you getting this error?
what is the culture (regional settings, and the date and time format) set on your machines?
The culture is USA.
Windows 2008 R2
Time zone is (UTC-07:00) Arizona
Current date and time: Thrusday, April 21, 2011, 4:45 PM
Windows 2003 SP2
Time zone is (UTC-08:00) Pacific
Current date and time: Thrusday, April 21, 2011, 4:57 PM
I have the error debug files if that will help..
Here’s an interesting thing. The default FromTime: is 01/01/1753 00:00:00 Which is the standard mo/da/year format but the To Time: is 31/12/9998 00:00:00. It’s actually mo/da/year.
Martin,
Thanks for this tool. I was looking for this a long time. Hope that this tool keeps being developed. It saved me a lot of time converting to csv etc. Now I can query the evt files.
Thanks again!
H.
Great tool! Thanks very much.
Quick question (if I may) can I add multiple EventID’s using a delimiter (e.g a comma , )?
Thanks again.
How do I convert .evtx to .evt??
I get the same ‘String was not recognized as a valid DateTime’ – .NET Framework 4 Client Profile on Windows 7 x64, latest SP / patches for everything.
I get the same error as above post on the same system (Windows 7 x64) with .NET 4 etc.
I am also having trouble registering LogParser.dll
I get ‘LogParser.dll is missing’ Register is using Tools -> Register LogParser.dll, but nothing happens when I run it.
Nevermind. I installed MS LogParser 2.2 and it runs now. However, my logs appear to be corrupt. Even when I try on an XP system. Any suggestions?
Link to download says file removed.