Get-WinEvent to XML, now what?

Good evening,

I’m relatively new to powershell, far more comfortable with SQL.

I need to get some data out of the event logs. I’ve managed to establish so far that I need to use Get-WinEvent and use the xml element to get the actual info I want.

So far I’ve got:

$filterxml = "
	
		
		    *[System[(EventID='4624')]]
			and
            (
			*[EventData[Data[@Name='LogonType'] and (Data='10')]]
            or
            *[EventData[Data[@Name='LogonType'] and (Data='2')]]
            )
		
	

"

$Events = Get-WinEvent -maxEvents 1 -Filterxml $filterXml

# Get out the event message data            
ForEach ($Event in $Events) {            
    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml() 

 #Now what?? I need to find out how to return the actual data in a form I can put into a datatable.
}

It seems like it should be so easy to chuck out the values to either into variables or straight into a datatable etc.

I’ve been looking for a solution for a while without any luck.

Thanks in advance for your time.

Matt

Ah, managed to find something that helped: xml - Working with Event Logs in Powershell - Server Fault

Ashley McGlone has some good articles explaining how to parse XML Event Data:

https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/

https://blogs.technet.microsoft.com/ashleymcglone/2015/08/31/forensics-automating-active-directory-account-lockout-search-with-powershell-an-example-of-deep-xml-filtering-of-event-logs-across-multiple-servers-in-parallel/