For IT Specialist

How to investigate Windows Event Log in Excel?

Overview

One way to investigate Windows PC problems is through logs.
These logs can be viewed using the Windows Event Viewer. However, the official tool is slow to investigate and the filtering is cumbersome, so this is an explanation for processing with Excel. Also, due to specification issues, it is difficult to export complex queries using only the Event Viewer function. I have processed it so that it can be viewed in Excel as another means. This time I have written down the procedure.

Explanation and Purpose

Investigate the cause of physical Windows failures and OS and software defects.
To identify mistakes made by PC users in using their PCs, etc.

In addition to malfunctions, there may be other causes, such as normal operation but unintended settings. Make it possible to investigate so that these normal logs can also be viewed.

Target Audience

IT Specialist with the ability to view and investigate Windows logs, and understand Windows commands such as Powershell.

Work Flow

  1. Export event logs as evtx files per source
  2. Combine evtx files per source into one TSV file
  3. Fixed a line break bug in the text editor

Step1

ここで作るスクリプトでは、次のログをエクスポートするように書いています。

  1. Specify the last 30 days
  2. All of the sources in the custom view management event
  3. Levels critical, error, warning, information

For ease of use, the script also creates folders. The folder is the computer name of the PC on which the script was run and the date of execution.

The script is long and collapsed. The query is taken from the XML of the custom view of the Event Viewer. The source code is the same as before, with some rewriting for ease of script execution. As a result, some query results may contain errors. To make it easier to check for errors, the results are displayed in the terminal when the script is executed.

BAT (Batchfile)
@echo off

REM Get Computer Name
set hostname=%COMPUTERNAME%

REM Get Execution Date
for /f " tokens=2 delims==." %%G in ('wmic OS Get localdatetime /value') do set "datetime=%%G"
set "date=%datetime:~0,8%"

REM Variable to create a folder name on the desktop that combines the computer name and date.
set "dirname=%HOMEDRIVE%%HOMEPATH%\Desktop\%hostname%_%date%"

REM Create a folder on the desktop with the variable PATH
echo A folder is created on the desktop. The folder name is ComputerName_yyyymmdd
mkdir "%dirname%"

echo Logs from the last 30 days are exported. Please wait until it completes...
@echo on
wevtutil epl Application "%dirname%\Application.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Security "%dirname%\Security.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl System "%dirname%\System.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Internet Explorer "%dirname%\Internet Explorer.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-AppV-Client/Admin "%dirname%\Microsoft-AppV-Client_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-AppV-Client/Virtual Applications "%dirname%\Microsoft-AppV-Client_Virtual Applications.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-All-User-Install-Agent/Admin "%dirname%\Microsoft-Windows-All-User-Install-Agent_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-AppHost/Admin "%dirname%\Microsoft-Windows-AppHost_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Application Server-Applications/Admin "%dirname%\Microsoft-Windows-Application Server-Applications_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-AppModel-Runtime/Admin "%dirname%\Microsoft-Windows-AppModel-Runtime_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-AppReadiness/Admin "%dirname%\Microsoft-Windows-AppReadiness_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-AssignedAccess/Admin "%dirname%\Microsoft-Windows-AssignedAccess_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-AssignedAccessBroker/Admin "%dirname%\Microsoft-Windows-AssignedAccessBroker_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Storage-ATAPort/Admin "%dirname%\Microsoft-Windows-Storage-ATAPort_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin "%dirname%\Microsoft-Windows-BitLocker-DrivePreparationTool_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Client-Licensing-Platform/Admin "%dirname%\Microsoft-Client-Licensing-Platform_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-DataIntegrityScan/Admin "%dirname%\Microsoft-Windows-DataIntegrityScan_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-DataIntegrityScan/CrashRecovery "%dirname%\Microsoft-Windows-DataIntegrityScan_CrashRecovery.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-DSC/Admin "%dirname%\Microsoft-Windows-DSC_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin "%dirname%\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot "%dirname%\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider_Autopilot.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-DeviceSetupManager/Admin "%dirname%\Microsoft-Windows-DeviceSetupManager_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Dhcp-Client/Admin "%dirname%\Microsoft-Windows-Dhcp-Client_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Dhcpv6-Client/Admin "%dirname%\Microsoft-Windows-Dhcpv6-Client_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Diagnosis-Scripted/Admin "%dirname%\Microsoft-Windows-Diagnosis-Scripted_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Storage-Disk/Admin "%dirname%\Microsoft-Windows-Storage-Disk_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-DxgKrnl-Admin "%dirname%\Microsoft-Windows-DxgKrnl-Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-EDP-Application-Learning/Admin "%dirname%\Microsoft-Windows-EDP-Application-Learning_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-EDP-Audit-Regular/Admin "%dirname%\Microsoft-Windows-EDP-Audit-Regular_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-EDP-Audit-TCB/Admin "%dirname%\Microsoft-Windows-EDP-Audit-TCB_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Client-License-Flexible-Platform/Admin "%dirname%\Microsoft-Client-License-Flexible-Platform_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-GenericRoaming/Admin "%dirname%\Microsoft-Windows-GenericRoaming_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Hyper-V-Guest-Drivers/Admin "%dirname%\Microsoft-Windows-Hyper-V-Guest-Drivers_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Hyper-V-Hypervisor-Admin "%dirname%\Microsoft-Windows-Hyper-V-Hypervisor-Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Hyper-V-VID-Admin "%dirname%\Microsoft-Windows-Hyper-V-VID-Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Kernel-EventTracing/Admin "%dirname%\Microsoft-Windows-Kernel-EventTracing_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-KeyboardFilter/Admin "%dirname%\Microsoft-Windows-KeyboardFilter_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot "%dirname%\Microsoft-Windows-ModernDeployment-Diagnostics-Provider_Autopilot.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService "%dirname%\Microsoft-Windows-ModernDeployment-Diagnostics-Provider_ManagementService.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin "%dirname%\Microsoft-Windows-ModernDeployment-Diagnostics-Provider_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Diagnostics "%dirname%\Microsoft-Windows-ModernDeployment-Diagnostics-Provider_Diagnostics.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-MUI/Admin "%dirname%\Microsoft-Windows-MUI_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-PowerShell/Admin "%dirname%\Microsoft-Windows-PowerShell_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-PrintBRM/Admin "%dirname%\Microsoft-Windows-PrintBRM_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-PrintService/Admin "%dirname%\Microsoft-Windows-PrintService_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin "%dirname%\Microsoft-Windows-Provisioning-Diagnostics-Provider_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot "%dirname%\Microsoft-Windows-Provisioning-Diagnostics-Provider_AutoPilot.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService "%dirname%\Microsoft-Windows-Provisioning-Diagnostics-Provider_ManagementService.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-PushNotification-Platform/Admin "%dirname%\Microsoft-Windows-PushNotification-Platform_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-RemoteApp and Desktop Connections/Admin "%dirname%\Microsoft-Windows-RemoteApp and Desktop Connections_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-RemoteAssistance/Admin "%dirname%\Microsoft-Windows-RemoteAssistance_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin "%dirname%\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-RetailDemo/Admin "%dirname%\Microsoft-Windows-RetailDemo_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-SecurityMitigationsBroker/Admin "%dirname%\Microsoft-Windows-SecurityMitigationsBroker_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin "%dirname%\Microsoft-Windows-SmartCard-TPM-VCard-Module_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-SMBDirect/Admin "%dirname%\Microsoft-Windows-SMBDirect_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-SMBWitnessClient/Admin "%dirname%\Microsoft-Windows-SMBWitnessClient_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Storage-Tiering/Admin "%dirname%\Microsoft-Windows-Storage-Tiering_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Storage-ClassPnP/Admin "%dirname%\Microsoft-Windows-Storage-ClassPnP_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Storage-Storport/Admin "%dirname%\Microsoft-Windows-Storage-Storport_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin "%dirname%\Microsoft-Windows-TerminalServices-ClientUSBDevices_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-TerminalServices-LocalSessionManager/Admin "%dirname%\Microsoft-Windows-TerminalServices-LocalSessionManager_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-TerminalServices-PnPDevices/Admin "%dirname%\Microsoft-Windows-TerminalServices-PnPDevices_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-TerminalServices-Printers/Admin "%dirname%\Microsoft-Windows-TerminalServices-Printers_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin "%dirname%\Microsoft-Windows-TerminalServices-RemoteConnectionManager_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin "%dirname%\Microsoft-Windows-TerminalServices-ServerUSBDevices_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Troubleshooting-Recommended/Admin "%dirname%\Microsoft-Windows-Troubleshooting-Recommended_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-User Device Registration/Admin "%dirname%\Microsoft-Windows-User Device Registration_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-VerifyHardwareSecurity/Admin "%dirname%\Microsoft-Windows-VerifyHardwareSecurity_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-WindowsBackup/ActionCenter "%dirname%\Microsoft-Windows-WindowsBackup_ActionCenter.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Microsoft-Windows-Workplace Join/Admin "%dirname%\Microsoft-Windows-Workplace Join_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl OpenSSH/Admin "%dirname%\OpenSSH_Admin.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Windows PowerShell "%dirname%\Windows PowerShell.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl Key Management Service "%dirname%\Key Management Service.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
wevtutil epl HardwareEvents "%dirname%\HardwareEvents.evtx" /q:"*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]"
echo Export is complete. Please check your desktop.
pause

Step2

The script is written to save and run in the folder created in step 1, using Set-Location to get the current path for the script, and then omitting the path entry. Create all event log files in the folder as a single tab-delimited text file.
I saved the following script as a ps1 file and used it.

BAT (Batchfile)
echo "Check to see if the Ps1 file can run the OS settings."
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
Set-Location -Path $PSScriptRoot
echo "Joining Evtx files in folder and creating TSV file..."
echo "Please wait..."

Get-WinEvent -Path '*.evtx' | Select-Object TimeCreated, LevelDisplayName, Level,ID,ProviderName,Message | Foreach-Object { "$($_.TimeCreated)`t$($_.LevelDisplayName)`t$($_.Level)`t$($_.ID)`t$($_.ProviderName)`t$($_.Message)"}  | Out-File -Encoding utf8 -FilePath 'EventLog.tsv'
echo "Done"
Read-Host -Prompt "Press Enter to exit"

Step3

The last step is not scripting, but replacing characters in a text editor.

If the Description and Message items in the Event Viewer have multiple lines of information, they will also have multiple lines in the TSV. To avoid this situation, the exported information is processed so that if the start of a line is not mm/dd/yyyy, the line feed code of the previous line is stripped. Regular expressions are used in the search string.

  1. Find $\n^(?!\d{2}/\d{2}/\d{4})
  2. Replace is Half-width space

Step4

Import the text into Excel. Select tabs as delimiters, import, and your work is done.
Depending on the log, if the message item is divided into multiple cells, you may be able to reduce the amount of work in Excel by adjusting the word processing process, such as the part of adding tabs to each field in step 2.