Backup Operational Event Logs with PowerShell

Dale Peterson 61 Reputation points
2023-02-15T18:07:04.4933333+00:00

Hello.

I am trying to take a backup of the event logs in "Applications and Service Logs > Microsoft > Windows > NTLM > Operational" using PowerShell. I see that you can do this with Win32_NTEventlogFile, but because all the events are in "...NTLM > Operational" nothing is backed up when running the command.

I've been looking around and haven't found a flag to set in the command to go another level down in the event log to get the events.

Does anyone have a resource I can use to help guide me?

TIA

Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2023-02-16T04:03:29.11+00:00

    Hi,

    The log files are located in $Env:windir\System32\winevt\Logs. You can simply copy Microsoft-Windows-NTLM%4Operational.evtx to back up the entire log file.

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.