I’m trying to look for event with event ID 4659. I can do it using:
Get-EventLog -LogName Security -InstanceId 4659
When I look for properties I can find property Message which contains message of event. But I would like to have XML format of event which can be found looking in event viewer. How can I get that XML format of event (including parsed message)?
Ah, speedy! Get-WinEvent is a newer command which has support for all of the custom Windows event logs on a Vista / 2008 and later computer; Get-EventLog only supports the “big 3” of Application, System and Security. Get-EventLog has a couple of other annoying quirks as well, such as not being able to specify alternate credentials when connecting to a remote computer, and using InstanceIDs instead of EventIDs on the command line. (There are 4 possible Instance IDs for each Event ID, a common “gotcha”.)
On the other hand, learning to use Get-WinEvent can be a little tricky, if you’re not familiar with the XML / XPath query syntax that is used in the newer Event Viewer console.