locked
obtain specific event data RRS feed

  • Question

  • Can someone advice how to obtain a specific eventdata from the events? I saw another thread about getting eventdata, but that is from a specific event. I would to see the eventdata for all the events.

    Thanks

    Friday, May 9, 2014 7:44 PM

Answers

  • The strings are in the order they appear in the message body,  It is a zero based array. Every event ID has a different structure, Y must know that structure in advance.

    ¯\_(ツ)_/¯

    • Marked as answer by hkg04 Monday, May 12, 2014 9:54 PM
    Monday, May 12, 2014 9:39 PM

All replies

  • Did you try

    get-help get-winevent -examples

    With get-winevent you can filter events e.g. Event ID

    Friday, May 9, 2014 8:31 PM
  • Can someone advice how to obtain a specific eventdata from the events? I saw another thread about getting eventdata, but that is from a specific event. I would to see the eventdata for all the events.

    Thanks

    All events can have different data structures. You have to be specific about what data you want. As suggested - start with help then query the weeb for more information. When you know what you want to get then post back with a specific question.

    ¯\_(ツ)_/¯

    Friday, May 9, 2014 9:02 PM
  • I did search for the web and was unable to any the info. What I would like to do is filter all the event with a specific event id (logon failure). Then query the source network address\logon account name for each of these filtered events. Thanks

    Monday, May 12, 2014 4:52 PM
  • I did search for the web and was unable to any the info. What I would like to do is filter all the event with a specific event id (logon failure). Then query the source network address\logon account name for each of these filtered events. Thanks

    Just use the Instance for the eventid.

    Look in repository for examples.


    ¯\_(ツ)_/¯

    Monday, May 12, 2014 5:18 PM
  • Thanks, I can't seem to locate those properties from the instance.

    Monday, May 12, 2014 6:56 PM
  • This will help you.

    http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx


    S.Arun Prasath

    Monday, May 12, 2014 7:08 PM
  • Thanks, I can't seem to locate those properties from the instance.

    What have you tried?

     Get-Eventlog -LogName security -InstanceId 4624,4634 | Select -expand replacementstrings


    ¯\_(ツ)_/¯

    Monday, May 12, 2014 7:24 PM
  • If you do not have Vista and later on all systems then you cannot use Get-WinEvent.  YOu will also have to have the latest Net Framework and patches installed to get XML data.

    Get-Eventlog works against all platforms and on all versions of PowerShell.


    ¯\_(ツ)_/¯

    Monday, May 12, 2014 7:26 PM
  • Thanks, this is what I tried. But I only want to show the source network address and was unable to locate the specific property.
    Monday, May 12, 2014 9:35 PM
  • The strings are in the order they appear in the message body,  It is a zero based array. Every event ID has a different structure, Y must know that structure in advance.

    ¯\_(ツ)_/¯

    • Marked as answer by hkg04 Monday, May 12, 2014 9:54 PM
    Monday, May 12, 2014 9:39 PM
  • Thanks

    Monday, May 12, 2014 9:54 PM