Home > Tools, Utilities > EvtLogParser

EvtLogParser


Updated to version: 1.0.0.5!

Lets say you have many exported EventLog (evt/evtx) files, and need to search for specific event entries on all of them. how do you do it?
Yes. Of course you can use Microsoft Log Parser 2.2 but then you have to write the cumbersome query yourself. bummer.

EvtLogParser EvtLogParser to the rescue!

EvtLogParser uses the LogParser.dll from Microsoft Log Parser 2.2, and provides a simple UI for the query.

EvtLogParser

All you need to do, is drag-and-drop or right-click and select Add EventLog Files...  to add your files to the list, select the query filter using the query filter panel, and click Query.

EvtLogParser: Query Filter Panel

Then, you’ll be able to see the query results in the grid view below.

EvtLogParser: GridView and Context Menu

Right-click to view a specific event, save it as a text file or export all the data to an XML file.

EvtLogParser: View Event

Note that Windows Vista, 7 and Server 2008 uses the new evtx format for event log exports.
Since Log Parser uses system APIs to read event log exports, and the old .evt event log format is not "native" any more on these OS’s you’ll probably get an error message saying "The event log file is corrupted".

So if you want to read evt files on Windows Vista, 7 or Server 2008, you should convert them old-school EventLog files into the shiny new format. You can accomplish this using any of the two methods described below:

1. Through the user interface
just double-click the evt file, wait for it to open, then right-click, select Save Event As, enter the location and filename, click Save and OK.

2. Using the Windows Events Command Line Utility (WevtUTIL)
It’s built in the OS and it’ll convert those old EventLog files from the command line:

wevtutil epl application.evt application.evtx /lf:true

Also, you can copy the text below into Notepad, save it with the .reg extension, and merge it into your registry.
After restarting your system, you’ll be able to right-click an .evt file and select the "Convert to evtx" option from the context menu.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\SystemFileAssociations\.evt]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.evt\shell]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.evt\shell\ConvertToEvtx]
@="Convert to evt&x"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.evt\shell\ConvertToEvtx\command]
@="\"wevtutil.exe\" epl \"%1\" \"%1x\" /lf:true"

 

Download EvtLogParser.1.0.0.5.zip
Please note it requires you to have at least .NET Framework 2.0 installed

Advertisements
  1. Fix
    October 18, 2010 at 10:27

    Hello Martin, I’ve tryed to use your EvtLogParser… but I can’t open nothing! All file .evtx that I’ve tryed to open, give me this error:
    Error executing query: Cannot open : Error openign event log “\\?\c:\[my path]”: Corrupted event file.

    Offcourse, this evtx file are great and I’ve no problems to open it on vista/seven.

    Could you help me?
    Thank you.
    Fix

    • October 18, 2010 at 11:04

      And are you running the EvtLogParser on Vista/Win7?
      Please read the section at the bottom of the post that sais: “Note that Windows Vista, 7 and Server 2008 uses the new evtx format for event log exports.
      Since Log Parser uses system APIs to read event log exports, and the old .evt event log format is not “native” any more on these OS’s you’ll probably get an error message saying “The event log file is corrupted”. So if you want to read evt files on Windows Vista, 7 or Server 2008, you should convert them old-school EventLog files into the shiny new format.”

  2. Jim
    December 30, 2010 at 20:42

    Hi Martin
    Great replacement for the free EventCombMT from Microsoft. One feature I’d like to see is the ability to export ALL the discovered events. Is there a way to do this currently?

    • December 31, 2010 at 11:41

      Of course there is!
      just right-click the results grid and select the “Save all as XML” item from the context menu,
      select where to save the xml file, and click save.

  3. Jim
    January 4, 2011 at 02:20

    Duh! Thanks Martin!

  4. Jim
    February 19, 2011 at 04:37

    Hello again Martin!

    By any chance, is the EVT Logparser a multithreaded application like EventComb was?

    • April 20, 2011 at 22:22

      Sorry for the late reply…
      As for your question, No. EvtLogParser is not multithreaded. It queries all the evt(x) files in one thread.
      Maybe in the future I’ll have the time to redesign it.

  5. ContraAl
    April 20, 2011 at 02:42

    This app is awesome! I just had a few questions.
    When I open multiple files, I’m not able to tell which log file the event was in. Can you add a column for the filename the event came from?

    I know this adds a lot of complexity but how about the ability to change the window size?

    An export all to .csv with column names would be nice, too.

    I don’t know how difficult it would be but I would like to be able to see the raw query as a learning tool. A pipe to the clipboard, maybe?

    • April 20, 2011 at 22:19

      I added some of the features you suggested
      1. Resize window – Done!
      2. See the raw logparser query – Done! (double click the statusbar, or use the Help->Show Last Query menu item).
      3. Export all to csv – Done! (just note that if the event message contains commas, the csv file will be jagged).
      4. Add column for file name – Not done 😦 since I’m bulk-quering all evt(x) files, this is too much of a change right now.
      Thanks for the feedback!
      Martin.

      • ContraAl
        April 21, 2011 at 19:16

        The updates look good. Much improved.. I’m getting a .NET error on opening now.

        Microsoft .NET Framework
        Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. yadda, yadda, yadda…

        String was not recognized as a valid DateTime.

        This is on 2008 R2 with .NET 4.0. and on a 2003 SP2. Any ideas?

      • May 28, 2011 at 03:05

        Hi Martin,

        Fantastic tool… with regards to the CSV option – if you encase the values with quotation marks and use double-quotation marks where double-quotation marks are used then this will get around the jagged CSV effect.

        Chris

  6. ContraAl
    April 21, 2011 at 19:22

    Oh, btw.. Thanks for the quick response!

    • April 21, 2011 at 21:11

      When are you getting this error?
      what is the culture (regional settings, and the date and time format) set on your machines?

  7. ContraAl
    April 22, 2011 at 01:58

    The culture is USA.
    Windows 2008 R2
    Time zone is (UTC-07:00) Arizona
    Current date and time: Thrusday, April 21, 2011, 4:45 PM

    Windows 2003 SP2
    Time zone is (UTC-08:00) Pacific
    Current date and time: Thrusday, April 21, 2011, 4:57 PM

    I have the error debug files if that will help..

  8. ContraAl
    April 22, 2011 at 02:05

    Here’s an interesting thing. The default FromTime: is 01/01/1753 00:00:00 Which is the standard mo/da/year format but the To Time: is 31/12/9998 00:00:00. It’s actually mo/da/year.

  9. H.
    September 6, 2011 at 15:23

    Martin,
    Thanks for this tool. I was looking for this a long time. Hope that this tool keeps being developed. It saved me a lot of time converting to csv etc. Now I can query the evt files.

    Thanks again!

    H.

  10. Robin McNamara
    September 20, 2011 at 00:40

    Great tool! Thanks very much.

    Quick question (if I may) can I add multiple EventID’s using a delimiter (e.g a comma , )?

    Thanks again.

  11. September 21, 2011 at 12:46

    How do I convert .evtx to .evt??

  12. Anonymous
    December 21, 2011 at 16:18

    I get the same ‘String was not recognized as a valid DateTime’ – .NET Framework 4 Client Profile on Windows 7 x64, latest SP / patches for everything.

  13. Michael
    December 22, 2011 at 22:44

    I get the same error as above post on the same system (Windows 7 x64) with .NET 4 etc.

  14. Michael
    December 22, 2011 at 22:48

    I am also having trouble registering LogParser.dll
    I get ‘LogParser.dll is missing’ Register is using Tools -> Register LogParser.dll, but nothing happens when I run it.

    • Michael
      December 22, 2011 at 23:02

      Nevermind. I installed MS LogParser 2.2 and it runs now. However, my logs appear to be corrupt. Even when I try on an XP system. Any suggestions?

  15. Cheryl
    February 17, 2012 at 18:41

    Link to download says file removed.

  16. August 9, 2012 at 09:33

    Is there a way to add to the display the user that caused the event and other fields. Thay would help enormously

  17. kiv
    September 6, 2012 at 06:05

    Absolutely agree. Standart microsoft event query has user field and here user is only seen in the message area. Adding user would make many those of us still struggling with LogParser 2.2 queries syntax a little bit happier.

  18. mark jan
    September 16, 2012 at 06:35

    can any one help me please how can i read or translate this one come from evp.files please help me

    PK
    äkc<  ucfile/PK   Ûkc<µ)ᛉÏ ï  ucfile/bg1.jpgì{w\S˶ðN„ÞA”Š`¡%†BA°RÄrC BHAÁrìˆíØPQìTé"Vl Ò¥)ª4¥)y;›"x©u 1‰Ãš€ñ”CLðŠL¦ñ3˜Þô8À>™ÔaŸÒ­„›Ðg?á;ôÉŸÙ—ö*¿ „bÚBZrtÒP
     FAõÀ@RTTTLTRLLRNB\BNIFRRFIEAAIAAEN*¿/0) )i)YiiYEiiiEV‘ûwðïr¢@(p Óàr0„Œß†*Î ³½†Ae”dœ°RTL\ök#ØgˆÉFY &CÀ…àÂHQa„¤)Ø(‡Ò’G [¯#+híĈ(»œf££«äüÀÛÔŒ½«Œ„œÜ¥÷ý
    «Ÿ¾[où WªíÃ+\Üœòõh_3ö®üÔ-ëIUó€›OÈÞS׳‹ª[ñ+Ü}yûNßÈyZÓ:$Àá ·BOHa,ä‚Z^ô H[A³ó˜¢ÀƒÎe½¦ºÞïÙ»Ž“\”(³/óE õ°ËA’®Ì¡Ú®Çqi¦\ø{ôºÀ¯$M9À
    h½æw+¬¯¤í@6Ù¹n‰.âÀÎÔ­Ñ׺Ær_Ìh¼æy¹Ñj±SÀ^^]ì
    g¤¹’Ÿ»×\-÷‹[=Ê墍üÓB²Cb‰ßèB|š¿¢9Ƚ§¾c/±~Ãü’û†;•“Î/úÌÙöºSê˘3+e¦|èè;·&«yìåÞ5%¾;ü¥áÏÄ%wE‘çj† Síµ#Û\œ{°}WA:éÄŠ¸EÉÀƒyÉŽµ=F¨§¢»üsGþ|¶ºn[<‰ÿú~rüö(·ÏEœ:
    ‰eÚäRÿ5ßSÖÓQ«Ó)ßþ ï¼úùÅeÒë#Ñ8¿'{Ãù×eî†|Ûãr°uïk·Û„¯0Z CpÒx‘y¸'òAܦΈ¸aŸ»î

  19. Siva
    February 28, 2013 at 22:22

    Hi, I’m trying to automate this process and I’m in a situation, where we get lot of event files (both EVT and EVTX files) from various systems and sits in a folder. I’m after a script that look for EVT files and convert it into EVTX format. Any help here would be much appreciated..

  20. upgrayedd
    May 28, 2013 at 21:02

    try to download the util and the link takes me to some other util to download, but these screenshots look great!

  21. Nik
    September 12, 2013 at 08:38

    Hi Martin!
    Can I use a mask like * username in the line “Message”

    I’m sorry, google translation

  22. Ryder
    October 27, 2014 at 20:33

    Just searched & found this tool.

    This tool works but at startup I always get:

    System.FormatException: String was not recognized as a valid DateTime.
    at System.DateTimeParse.Parse(String s, DateTimeFormatInfo dtfi, DateTimeStyles styles)

    I don’t know the code but probably you do not check the system locale (if YYYY-MM-DD or MM/DD/YYYY or what ever is used) and not use DateTime.TryParse() to catch the exception.

  23. Grand Farquad
    November 12, 2014 at 20:04

    I installed Microsoft Log Parser as a prerequisite, then installed your tool. While it does show the log contents, every entry has this description:

    The description for Event ID 123 in Source “Microsoft-Windows-TaskScheduler” cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer.

  24. Don Beelame
    November 26, 2014 at 09:26

    Martin, have you given thought to moving this app to sourceforge or similar venue, so that others can maintain and evolve it, seeing that you have not made any updated to this useful tool in several years?

  25. July 13, 2015 at 14:47

    Really nice and works well with the old evt files.
    THX

  26. December 18, 2015 at 23:46

    @Don Beelame I would agree, but just an FYI. This is working with Windows 10, and my server 2012 evtx log files.

  1. May 14, 2011 at 03:53
  2. November 21, 2014 at 05:42
  3. December 19, 2015 at 00:08

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: