Home / server / Questions / 303967
Accepted
pk.
Asked: 2011-08-23 15:55:51 +0800 CST

Working with Event Logs in Powershell

  • 772

I have trying to analyze records from the Windows Security log and having a bit of difficulty getting specific values out of some of the logon/logoff events. Let's take a look at a specific example - here's the XML of one of the log entries.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
        <EventID>4634</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12545</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime='2011-08-16T17:15:38.702857400Z'/>
        <EventRecordID>107947</EventRecordID>
        <Correlation/>
        <Execution ProcessID='680' ThreadID='972'/>
        <Channel>Security</Channel>
        <Computer>SRV1.DOMAIN.LOCAL</Computer><Security/>
    </System>
    <EventData>
        <Data Name='TargetUserSid'>S-1-5-21-963414502-3093649508-813756320-3274</Data>
        <Data Name='TargetUserName'>billgates</Data>
        <Data Name='TargetDomainName'>MYDOMAIN</Data>
        <Data Name='TargetLogonId'>0x1c01acc</Data>
        <Data Name='LogonType'>10</Data>
    </EventData>
</Event>

How would I, for instance, go about extracting the 0x1c01acc stored in the Data node with the Name attribute equal to 'TargetLogonId'?

powershell xml

3 Answers

  1. Best Answer

    Make sure your string is valid XML (ie add </Event> to the end of what you've posted above, and then cast that string as XML:

    $xml = [xml]$yourStringHere

    Then you can pull out the TargetLogonId like this:

    $xml.Event.SelectSingleNode("//*[@Name='TargetLogonId']") | select -ExpandProperty '#text'

    Thanks to Shay Levy and this post: http://social.technet.microsoft.com/Forums/en/ITCG/thread/5aa133b0-ea69-4348-9bac-d028ba895024

    • 5

  2. If you are given just the raw XML, you can load up the XML document. Since you posted an XML fragment, I'll assume that it was exported from the log and has a <Events> root tag. The tricky part is the namespace.

    $xml = [xml](get-content "PathToXml.xml")
$xmlns = New-Object -TypeName System.Xml.XmlNamespaceManager -ArgumentList $xml.NameTable
$xmlns.AddNamespace("el", "http://schemas.microsoft.com/win/2004/08/events/event")
$value = $xml.SelectSingleNode("/Events/el:Event/el:EventData/el:Data[@Name = 'TargetLogonId']/text()", $xmlns).Value

    The XML I used:

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
    <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
    <EventID>4634</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12545</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime='2011-08-16T17:15:38.702857400Z'/>
    <EventRecordID>107947</EventRecordID>
    <Correlation/>
    <Execution ProcessID='680' ThreadID='972'/>
    <Channel>Security</Channel>
    <Computer>SRV1.DOMAIN.LOCAL</Computer><Security/>
</System>
<EventData>
    <Data Name='TargetUserSid'>S-1-5-21-963414502-3093649508-813756320-3274</Data>
    <Data Name='TargetUserName'>billgates</Data>
    <Data Name='TargetDomainName'>MYDOMAIN</Data>
    <Data Name='TargetLogonId'>0x1c01acc</Data>
    <Data Name='LogonType'>10</Data>
</EventData>
</Event>
</Events>
    • 2

  3. To get the XML for an event log entry:

    Get-WInEvent ‹parameters to select the events› | Foreach-Object { $_.ToXml() }

    Then use the techniques shown in the other answers to extract the specific <Data> value.

    • 1