Get-EventLog

Dudes!

I’m trying to look for event with event ID 4659. I can do it using:

Get-EventLog -LogName Security -InstanceId 4659

When I look for properties I can find property Message which contains message of event. But I would like to have XML format of event which can be found looking in event viewer. How can I get that XML format of event (including parsed message)?

Ooooooo…I just found it :slight_smile:
I have to use

Get-WinEvent -FilterHashtable @{Logname='Security';Id=4659}

and it does have Methos called ToXml which gives me exactly I want.

Now the question is “What is difference between Get-WinEvent and Get-EventLog?”

I don’t believe Get-EventLog can do that for you, but the objects returned by the newer Get-WinEvent cmdlet have a ToXml() method:

$events = Get-WinEvent -FilterHashtable @{ LogName = 'Security'; ID = 4659 }
$events[0].ToXml()

Ah, speedy! :slight_smile: Get-WinEvent is a newer command which has support for all of the custom Windows event logs on a Vista / 2008 and later computer; Get-EventLog only supports the “big 3” of Application, System and Security. Get-EventLog has a couple of other annoying quirks as well, such as not being able to specify alternate credentials when connecting to a remote computer, and using InstanceIDs instead of EventIDs on the command line. (There are 4 possible Instance IDs for each Event ID, a common “gotcha”.)

On the other hand, learning to use Get-WinEvent can be a little tricky, if you’re not familiar with the XML / XPath query syntax that is used in the newer Event Viewer console.

I already found it, thank you anyway. :slight_smile: