Convert saved evtx files to text

In the end I went with Log Parser to convert to CSV and then [System.IO.File]::ReadLines($filename) to search through the text. An 800MB .evtx file can be converted in about 2 min 30 sec and then reading through the file takes about 2 mins. Possibly it could be quicker exporting to XML or into a database but it will do for me with the amount of time I had to spend.

$logparser = "c:\program files (x86)\Log Parser 2.2\logparser.exe"
$query = "SELECT * INTO c:\logs\logs.csv FROM c:\logs\logs.evtx"

& $logparser -i:evt -o:csv $query

As far as I remember, LogParser was not able to extract all event information (I mean both System and EventData that you can see in the xml view for each event in the EventViewer). Therefore, I went with powershell. My script works well, but is very slow: it needs about 80 seconds to convert 10 Mb .evtx file...

$a = Get-Item *.evtx
$output_file = [System.IO.StreamWriter] $("all.csv")
foreach($file in $a){
    $events = get-winevent -path $file.FullName

    foreach ($Event in $events) { 
        $xml = [xml]($Event.ToXml())

        foreach ($s in $xml.Event.System.ChildNodes) {
            $output_file.Write($s.Name + ":" + $s.InnerText + ",")
        }
        foreach ($d in $xml.Event.EventData.Data) {
            $text = $d.InnerText
            $text = if ($text) { $text.replace("`n","") } else { $text }
            $output_file.Write($d.Name + ":" + $text + ",")
        }
        $output_file.WriteLine()
    }
}

$output_file.Flush()
$output_file.Close()

I needed to bulk convert a bunch of .evtx to .txt files - I did end up getting Log Parser to convert to .csv (which i can then rename .txt), but the easiest way (and only uses native windows tools) was to use wevtutil.

wevtutil /qe File.evtx /lf: true will open and display the .evtx file in a cmd. All you have to do is make it output that output as a .txt!

wevtutil /qe File.evtx /lf: true > File.txt

I made a batch script that will recursively check a folder for all your nicely dated event files and will convert each .evtx file to a .txt inside that folder:

set spath=\\SERVER\Share\Audits
set eventLogDir="dir /B /s %spath% | findstr  \.evtx$"
FOR /F %%d in ('%eventLogDir%') do wevtutil qe %%d /lf:true > %%d.txt

Edit - I did realize that the query output from wevtutil is not very nice to read. Using Log Parser instead with my script, i was able to get a nicer output and save still with .txt

set spath=\\SERVER\Share\Audits
set eventLogDir="dir /B /s %spath% | findstr  \.evtx$"
FOR /F %%d in ('%eventLogDir%') do "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" "Select * into %%d.txt from %%d" -i:evt -o:csv

If you're looking for a point-and-click way to convert EVTX files, you could try Gigasheet. It's a web-based application that parses EVTX and you can export data in CSV format. You can upload up to 99 files concurrently, and it's free to upload files up to 10GB.

Full details here: https://www.gigasheet.co/post/online-evtx-parser-and-viewer

Our parsing in Gigasheet is based on the Rust EVTX parser by @omerbenamram. Looking at the benchmarks on Github, it looks like the performance should be great for most applications: https://github.com/omerbenamram/evtx

Full disclosure: I'm co-founder at Gigasheet.