Archive an Event Log

Applies To: Windows Server 2008, Windows Vista

You can manually save the events in an event log using the following procedure. In addition, certain log retention policies may save events automatically. When you save events, you can include display information that will enable the saved events to be viewed on another computer and you can include information that will enable the saved events to be viewed in a different language.

To export and archive an event log

  1. Start Event Viewer.

  2. In the console tree, navigate to the log you want to archive.

  3. On the Action menu, click Save Events As.

  4. In File name, enter a name for the archived log file.

  5. In Save as type, select a file format, and then click Save.

  6. (Optional) In the Display Information dialog box, if the event log information is not intended to be viewed on another computer, accept the default of No display information.

  7. (Optional) In the Display Information dialog box, if the event log information is intended to be viewed on another computer, click Display information for these languages.

  8. (Optional) If the event log information is intended to be viewed in a different language, select the Show all available languages check box.

  9. (Optional) Select the language check boxes for which you want to include language information.

  10. Click OK.

To export and archive an event log using a command line

  1. To open a command prompt, click Start, type cmd, in the Start Search box, and then press Enter.

  2. To export the log to a file, type the following command:

    wevtutil epl <LogName> <FileName.evtx>
    
  3. To archive the log with display information, type the following command:

    wevtutil al <FileName.evtx> [/l:<LocaleString>]
    

To view the complete syntax for the wevutil command with the epl option, type the following at a command prompt:

wevtutil epl /?

To view the complete syntax for the wevutil command with the epl option, type the following at a command prompt:

wevtutil al /?

Additional Considerations

  • If you archive a log in .evtx file format, you can reopen it in Event Viewer.

  • Archiving does not delete the contents of the log.

  • The sort order is not retained when logs are saved.

  • If you archive a log that is filtered, only the records that satisfy the filter will be saved.

  • To troubleshoot events that were logged on a remote computer, you must export and archive the log with the display information. The display information for the saved events is stored in the LocaleMetaData folder and should be moved with the log information when the information is viewed on another computer.

Additional Resources