Get info from an eventlog Message ( general/details) pane

This topic contains 5 replies, has 4 voices, and was last updated by  Nicolas Laureyns 2 years, 4 months ago.

  • Author
  • #36663

    Nicolas Laureyns


    I would like to get some info out of an eventlog item, the General message pane got some info like this:
    PS C:\Windows\system32> $string = (Get-EventLog -LogName Security -InstanceId 5136 -Newest 1).Message

    PS C:\Windows\system32> $string
    A directory service object was modified.

    Security ID: S-1-5-21-xxxxxxxx-xxxxxxx-xxxxxxxx-xxxxxxx
    Account Name: Username
    Account Domain: Domain
    Logon ID: 0x904ea6c

    Directory Service:
    Name: domain
    Type: %%14676

    DN: CN=Domain Admins,CN=Users,DC=domain,DC=be
    GUID: {56284D9B-9FA0-4FE2-8725-7C08B52EF71E}
    Class: group

    LDAP Display Name: member
    Syntax (OID):
    Value: cn=test,OU=Hardware,OU=users,OU=top,OU=domain dd,DC=dd,DC=be

    Type: %%14674
    Correlation ID: {D5F020FB-94BD-458A-9C11-79D7EB22DA64}
    Application Correlation ID: –

    I would like to get the data in some variables, like Account name (username) ,
    Group (domain admins) ,
    Attribute value.
    The problem is this whole message is a String.
    How would you get these out of the string and put them in a variable?

    Thanks in advance.
    Kind regards.

  • #36664

    Wilfredo Perez

    Try using Get-WinEvent instead of get-eventlog and we might have to change the string to objects.

  • #36665

    Warren Frame

    Hi there!

    There's a good chance you can reference those individual properties directly, rather than trying to read the message string.

    Get-WinEventData simplifies this so that you can simply pipe Get-WinEvent to Get-WinEventData.


  • #36734


    Nikolas, as folks mentioned above it would be more effective subsequently faster, to use the get-winEvent in conjunction with hash table. Since you are looking for specific values, you will have to parse the XML view option that windows event log offer.

    In short, for example:
    $MySecurityLog = Get-WinEvent -FilterHashtable @{logname = 'security; id=4798'}

    Then retrieve what you want to retrieve $MySecurityLog | gm
    In your scenario $ will provide you output like UserName, domain etc.

    The "tricky" part (let's say), is to cast the $MySecurityLog as an XML since as I mentioned you need parse the event log XML info.

    $ConvertToXml = [xml]$MySecurityLog.toxml()

    Finally, search again your XML variable and step by step retrieve related members (event, eventdata etc.)


  • #36757

    Nicolas Laureyns

    Tyvm guys for the responses, the answers helped me out.
    I'll finish the scripts tomorrow and post them here.

    Grtz Nicolas

  • #36807

    Nicolas Laureyns

    Hello guys,

    This is a part of the script:

    #Get the event 4722 => user enbled
    $event = Get-WinEvent -FilterHashtable @{ID='4722'; logname='security'} -MaxEvents 1
    #Create an XML from the event
    $eventXML = [xml]$Event.ToXml()
    #Extract data out of the XML
    $Targetusername = $eventXML.Event.EventData.Data[0].'#text'
    $user = $eventXML.Event.EventData.Data[4].'#text'
    #Send the mail
    $subj = "The user $Targetusername is created or enabled by user: $user"
    $comp = Get-Childitem env:computername
    $body = "You can see the eventlog on $comp on $event.timeCreated for eventID:4722"
    send-mailmessage -to .... -from .... -subject $subj -Body $body -SmtpServer .....

    The last problem is when I'm sending a mail message with the -Body string the output is like this:
    You can see the eventlog on System.Collections.DictionaryEntry on System.Diagnostics.Eventing.Reader.EventLogRecord.timeCreated for eventID:4722

    I tried converting those outputs to Strings but no avail..

    Kind regards,

You must be logged in to reply to this topic.