The WEvtUtil utility is something I wrote about last year and up until recently I’ve just been using the qe command and piping the output. However, I decided to use the epl (export-log) command to pull down the event log from a remote production server and discovered a significant gotcha. I spun a quick console app to pull the logs down and was running into a problem where the command would execute but I was not seeing the file. So I decided to try giving a different path, then it failed saying access was denied. What I discovered was that it was in fact working but the output file was being created ON THE REMOTE SERVER!! And no, I do not have permissions to access any of the drives on the remote computer but WEvtUtil was still able to create it! I then created a local open share and WEvtUtil could not dump to that file. It seems it can only dump locally to whatever server you’re hitting. This utility has been out for a long time so there are bound to be a few shortcomings but this one is just outright dangerous. Be safe and careful with it.
Happy (and safe) coding!