Copy event logs:
C:\\> wevtutil epl Security C:\\<BACK UP PATH>\\mylogs.evtx
C:\\> wevtutil epl System C:\\<BACK UP PATH>\\mylogs.evtx
C:\\> wevtutil epl Application C:\\<BACK UP PATH>\\mylogs.evtx
Get list of logs remotely: Ref. https://technet.microsoft.com/enĀus/sysinternals/psloglist.aspx
C:\\> psloglist \\\\<REMOTE COMPUTER> -accepteula -h 12 -x
Clear all logs and start a baseline log to monitor:
PS C:\\> wevtutil el | Foreach-Object {wevtutil cl "$_"}
List log filenames and path location:
C:\\> wmic nteventlog get path,filename,writeable
Take pre breach log export:
PS C:\\> wevtutil el | ForEach-Object{Get-Eventlog Log "$_" | Export-Csv -Path (:\\<BASELINE LOG>,csv Append}
Take post breach log export:
PS C:\\> wevtutil el | ForEach-Object{Get-EventLog Log"$_" | Export-Csv -Path C:\\<POST BASELINE LOG>,CSV -Append}
Compare two files baseline and post breach logs:
PS C:\\> Compare-Object -ReferenceObject $(GetĀContent "C:\\<PATH TO FILE>\\<ORIGINAL BASELINE LOGS>.txt") -DifferenceObject $(Get-Content "C:\\<PATH TO FILE>\\<POST BASELINE LOGS>.txt") >> <DIFFERENCES LOG>.txt
This deletes all logs:
PS C:\\> wevtutil el | Foreach-Object {wevtutil cl "$_"}