Reputation: 41

Powershell - Getting advanced eventlog informations (xml?)

I need to read specific informatiosn from eventlog. For example - Security log, ID 4648. With simple "Get-Eventlog" i can't get informations like TargetUserName or TargetDomainName in easy way - only from .message value, but it's way harder to read one/two informations from full text. Can i read this from XML eventlog, without exporting log to file?

Upvotes: 0

Answers (3)

Theo

Reputation: 61068

Using the Get-WinEvent cmdlet, you can grab the XML Event data and create your output from there.

Below code does exactly that and returns an array of PsCustomObjects with all event properties found.

$result = Get-WinEvent -FilterHashtable @{LogName="Security";Id=4648} -MaxEvents 100 | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # create an ordered hashtable object to collect all data
    # add some information from the xml 'System' node first
    $evt = [ordered]@{
        EventDate = [DateTime]$eventXml.System.TimeCreated.SystemTime
        Computer  = $eventXml.System.Computer
    }
    $eventXml.EventData.ChildNodes | ForEach-Object { $evt[$_.Name] = $_.'#text' }
    # output as PsCustomObject. This ensures the $result array can be written to CSV easily
    [PsCustomObject]$evt
}

# output to screen
$result

# output to CSV file
$result | Export-Csv D:\test.csv -NoTypeInformation

Upvotes: 3