How to pull specific event ID’s from Event Viewer to a .csv file using PowerShell

 

Step#

 Task Step(s) and / or Screenshot
1 From either a computer on the same network as the machine with the logs or directly on the machine with the logs launch Powershell as admin  
2

Run the command:

$StartDate = (Get-Date).adddays(-##)

Replace the ## with how many days you want to go back from today.

  
3

Then run:

Get-WinEvent -ComputerName ‘MachineName’ -FilterHashtable @{logname='Security';id=’eventid,eventid,etc’;data='Username';StartTime=$StartDate} | Export-csv C:\temp\’NameofFile’.csv

Replace the following values:
‘MachineName’ = The computer you want to pull logs from, or delete the entire string ‘-ComputerName ‘MachineName’ if you are running it on the computer in which you want the logs

‘eventid’ = These are the event IDs you are looking for for example 4624,4634

‘Username’ = With the user login without the domain part

‘NameofFile’ = The title your want for the csv file.

  

 

 

Author: Justin Wilson


Article ID: 623
Created: July 1, 2021
Last Updated: July 1, 2021
Author: Natural Networks NOC [support@naturalnetworks.com]

Online URL: https://kb.naturalnetworks.com/article.php?id=623