CODEWITHSUNDEEP
powershellevent-logevent-viewer
resolver101
resolver101

Reputation: 2255

powershell: get-winevent has no message data?

When I run the script below to retrieve log files, the get-winevent "message" field is blank, but has data if I run get-eventlog. Any ideas why?

#has message data 
Get-Eventlog -LogName application -Newest 10

 #date 10 days ago 
$EventStartDate = get-date("10 May 2012") 
$EventEndDate = get-date("11 May 2012") 
$EventLogNames = @("Application", "system")

#critea for winevent 
$EventCritea = @{logname = $EventLogNames; StartTime=$EventStartDate; EndTime=$EventEndDate}

#Retrieves the event log 
$RetreivedEvents = Get-WinEvent -computername localhost -FilterHashtable $EventCritea
$RetreivedEvents | fl id, logname, MachineName, Message, TimeCreated

Upvotes: 6

Views: 10495

Answers (6)

Patrick E
Patrick E

Reputation: 1

[PS 2.0] Note that a culture change is only valid for the current pipeline. See Culture Gotchas

So the command to temporarily change culture + get-winevent need to be grouped either in a script block (enclosed within "{...}") or on one line separated by ";".

I discovered this when trying to use get-winevent on system log on Server 2008. Messages came up empty, and I needed to change the culture from nl-BE to en-US.

Upvotes: 0

Victor Ashiedu
Victor Ashiedu

Reputation: 21

I believe this is because the messages are hidden in a property value. To display all messages, pipe the get-winevent to the select statement with the following expressions:

@{Label='Messages';Expression={$_.properties.Value}}

If you wish to display a specific message, for instance Logon Process (In security logs), use the expression: 

@{Label='Logon Process';Expression={$_.properties.Value[3]}}

Upvotes: 2

Yasir
Yasir

Reputation: 4767

Adding the following line at the top of my script worked for me (taken from Richards code Snippet) ;

[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"

Upvotes: 0

Djarid
Djarid

Reputation: 504

What PSHost are you running under?

I am experiencing a problem on PS V2.0 running on windows 7 accessing W2k8. If run within a Powershell console or within Powershell ISE it retrieves all data. However if running within a runspace or from PowerGUI (pro) it returns only a partial subset which does not include the Message property.

[EDIT] Richard's post allows me to work around the problem but it is very strange because the culture in the working PS console is 'en-GB' and the culture in the non working PowerGui Script Editor is 'en-GB' which only works if I change the culture to 'en-US'.

Freaky

Upvotes: 0

Richard
Richard

Reputation: 108975

What locale are you running under?

There is a .NET bug where the underlying .NET method (that Get-WinEvent uses) fails to populate localised fields (like Message) in some locales (like en-GB).

Fix is to switch to en-US for the command:

$orgCulture = Get-Culture
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
# Perform Get-WinEvent
[System.Threading.Thread]::CurrentThread.CurrentCulture = $orgCulture

Upvotes: 8

Chadddada
Chadddada

Reputation: 103

I know I have seen get-winevent not work on Windows Server 2003 in the past when I have tried it. Basically the PS environment said get-winevent didn't work for 2003. That may have been PS v1 then, so I am not sure if that was resolved with newer versions of PS: I am on 2K8 R2 now.

On my

Upvotes: 0

Related Questions