I am trying to export the Security and System event logs to csv. I am able to run these separately:

Get-WinEvent -Path "C:\Users\ABC\Desktop\Automated Event Logs\Security.evtx" -FilterXPath "*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803)]]"

Get-WinEvent -Path "C:\Users\ABC\Desktop\Automated Event Logs\System.evtx" -FilterXPath "*[System[(EventID=6005 or EventID=6006 or EventID=6008)]]"

You want what together?  You cannot export one query to multiple files in the same command.

If you want the EventIds grouped then you need to sort by eventID before outing to CSV.

You can do this:

$paths='C:\Users\ABC\Desktop\Automated Event Logs\Security.evtx','C:\Users\ABC\Desktop\Automated Event Logs\System.evtx'
$filter='*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=6005 or EventID=6006 or EventID=6008)]]'
Get-WinEvent -Path $paths -FilterXpath $filter

Then add:  sort ContainerLog, ID

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message                                                                                                                                                        
-----------                     -- ---------------- -------                                                                                                                                                        
08/26/2015 8:01:57 AM         4801 Information      The workstation was unlocked....                                                                                                                               
08/25/2015 4:39:31 PM         4803 Information      The screen saver was dismissed....                                                                                                                             
08/25/2015 4:39:29 PM         4802 Information      The screen saver was invoked....                                                                                                                               


   ProviderName: EventLog

TimeCreated                     Id LevelDisplayName Message                                                                                                                                                        
-----------                     -- ---------------- -------                                                                                                                                                        
08/21/2015 4:30:02 PM         6005 Information      The Event log service was started.                                                                                                                             
08/21/2015 4:27:34 PM         6006 Information      The Event log service was stopped.                                                                                                                             
08/14/2015 4:31:01 PM         6005 Information      The Event log service was started

Get-Logs{
    Get-WinEvent -Path "C:\Users\ABC\Desktop\Automated Event Logs\Security.evtx" -FilterXPath "*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803)]]"
    Get-WinEvent -Path "C:\Users\ABC\Desktop\Automated Event Logs\System.evtx" -FilterXPath "*[System[(EventID=6005 or EventID=6006 or EventID=6008)]]"
}

Get-Logs		

Looks like I got it to work like this:

Get-WinEvent -Path "Security.evtx","System.evtx" -FilterXPath "*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=6005 or EventID=6006 or EventID=6008)]]" | Select TimeCreated, Id, Message | Export-Csv "Out.csv"

• Marked as answer by UserDave 13 hours 12 minutes ago

Looks like I got it to work like this:

Get-WinEvent -Path "Security.evtx","System.evtx" -FilterXPath "*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=6005 or EventID=6006 or EventID=6008)]]" | Select TimeCreated, Id, Message | Export-Csv "Out.csv"

• Marked as answer by UserDave Wednesday, August 26, 2015 5:56 PM