Overview

This article answers the query: Is it possible to archive exported EVT(X) files using GFI EventsManager.

Process

GFI EventsManager 2013 can be used with a script to perform the archival of exported EVT(X) files.

Please follow these steps to complete the operation:

1. Download the script.
2. Save the script in a folder.
3. Open the Windows PowerShell and browse to the folder where the script is saved.
4. Type:

   .\script.ps1 -folder path -LogName mysavedlog -Source sourcename

   • Folder specifies which folder to enumerate for .evtx files;
   • LogName specifies the name of the custom event log to create;
   • Source specifies what source the events would appear to be coming from.

Example: 

.\script.ps1 -folder c:\MyEvents -Logname myevents -Source PC-W704

The script takes a folder as input, reads all the .evtx files from it, and imports them into EventViewer.

1. Open the Windows Events and the event imported should be listed there.

The next steps will be to add this new folder to the computer source in GFI EventsManager:

1. In GFI EventsManager, browse to Configuration > Events Source.
2. Select the computer. Right-click Properties.
3. In the Windows Events, click the Add button to add the new event type created.

Note: When downloading files from the Internet, it is important to check the properties of the file to ensure that they were not blocked. If there is an Unblock button at the bottom of the properties, click it to unblock the file.