This topic contains 4 replies, has 2 voices, and was last updated by  Ondrej Zilinec 3 years, 9 months ago.

  • Author
  • #19563

    Ondrej Zilinec


    I'm trying to look for event with event ID 4659. I can do it using:

    Get-EventLog -LogName Security -InstanceId 4659

    When I look for properties I can find property [b]Message[/b] which contains message of event. But I would like to have XML format of event which can be found looking in event viewer. How can I get that XML format of event (including parsed message)?

  • #19564

    Ondrej Zilinec

    Ooooooo...I just found it 🙂
    I have to use

    Get-WinEvent -FilterHashtable @{Logname='Security';Id=4659}

    and it does have Methos called [b]ToXml[/b] which gives me exactly I want.

    Now the question is "What is difference between Get-WinEvent and Get-EventLog?"

  • #19565

    Dave Wyatt

    I don't believe Get-EventLog can do that for you, but the objects returned by the newer Get-WinEvent cmdlet have a ToXml() method:

    $events = Get-WinEvent -FilterHashtable @{ LogName = 'Security'; ID = 4659 }
    • #19567

      Ondrej Zilinec

      I already found it, thank you anyway. 🙂

  • #19566

    Dave Wyatt

    Ah, speedy! 🙂 Get-WinEvent is a newer command which has support for all of the custom Windows event logs on a Vista / 2008 and later computer; Get-EventLog only supports the "big 3" of Application, System and Security. Get-EventLog has a couple of other annoying quirks as well, such as not being able to specify alternate credentials when connecting to a remote computer, and using InstanceIDs instead of EventIDs on the command line. (There are 4 possible Instance IDs for each Event ID, a common "gotcha".)

    On the other hand, learning to use Get-WinEvent can be a little tricky, if you're not familiar with the XML / XPath query syntax that is used in the newer Event Viewer console.

You must be logged in to reply to this topic.