'get "wevtutil epl test.evtx /q:" to utilize multiple selects to save one event log file

Im trying to basically do the same thing event viewer can do by creating a custom view and then save it as a evtx file. Here is what I have so far as well as the custom XML generated by creating a custom view in event viewer. Utilizing powershell as well.

$queryXML =
 Path="Application"
 Path="Application">*[System[Provider[@Name='Application'] and (Level=1  or Level=2 or Level=3)]]
 Path="Security">*[System[Provider[@Name='Application'] and (Level=1  or Level=2 or Level=3)]]
 Path="Setup">*[System[Provider[@Name='Application'] and (Level=1  or Level=2 or Level=3)]]
 Path="System">*[System[Provider[@Name='Application'] and (Level=1  or Level=2 or Level=3)]]
 Path="ForwardedEvents">*[System[Provider[@Name='Application'] and (Level=1  or Level=2 or Level=3)]]

 wevtutil epl C:\Users\user\Desktop\test.evtx "/q: $queryXML"

-

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1  or Level=2)]]</Select>
<Select Path="Security">*[System[(Level=1  or Level=2)]]</Select>
<Select Path="Setup">*[System[(Level=1  or Level=2)]]</Select>
<Select Path="System">*[System[(Level=1  or Level=2)]]</Select>
<Select Path="ForwardedEvents">*[System[(Level=1  or Level=2)]]</Select>
</Query>
</QueryList>


Solution 1:[1]

figured out a method. Save the query xml as a .txt file then instead of designating a event log name like "system" use the path to the .txt file with the query.

Solution 2:[2]

To expand further on the accepted solution, you save your XML structured query as a file (say "SQ.xml") and then alter your wevtutil statement like so:

wevtutil epl SQ.xml temp.evtx /sq:true

This tells wevtutil to use the XML query saved in SQ.xml and export the logs to a file called temp.evtx. You must specify /sq:true to tell it to query a structured query file.

The structured query format is mostly XPath but Windows puts some slight tweaks on it. More info can be found here. For example:

 <QueryList>
  <Query Id="0">
    <Select Path="System">*[System[TimeCreated[@SystemTime &gt;= '2022-04-22T05:00:00' and @SystemTime &lt;= '2022-04-22T15:00:00']]]</Select>
    <Select Path="Application">*[System[TimeCreated[@SystemTime &gt;= '2022-04-22T05:00:00' and @SystemTime &lt;= '2022-04-22T15:00:00']]]</Select>
  </Query>
</QueryList>

The above query grabs Systems and Application log files for today (April 22 between 5AM and 3PM UTC. Note that because this is XML, the greater than and less than signs must be encoded.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Sterling Dunn
Solution 2 Chris