Get EventLog Event Details Content PowerShell
Hello,
Windows eventlog are great to log data. Search inside them is quite easy with the EventVwr.msc management console. But search through them programmatically can be a bit tricky. Especially when you want only some key information from the event.
Get EventLog Event Details Content PowerShell
Let’s take eventid 5719 for example:
Get EventLog Event Details Content PowerShell – Event Overview
As you may agree, the important information there is “D2K16TP4”. Why I have this event is irrelevant here, but this kind of event is there when you have a unreachable trusted domain.
To read event log journal with PowerShell, you have two cmdlets:
The first one is the legacy one, the last one is the new one. Get-WinEvent is very powerful at searching through logs, and event better at export just the needed information from the event. Now, let’s use it to grab the event 5719 and try to only get the trusted domain name.
Get-WinEvent -FilterHashtable @{LogName = 'System';ID='5719'} | select -First 1 -Property *
Get EventLog Event Details Content PowerShell – Event Details with PowerShell
If you look at the “message” property, you can try to write a complex regular expression to match the domain name. There is an easier way, we need to expand the “properties” property:
Get-WinEvent -FilterHashtable @{LogName = 'System';ID='5719'} | select -First 1 -ExpandProperty Properties
Get EventLog Event Details Content PowerShell – Event Properties
And voilĂ , we got the needed information, now we just need to build a custom object with it:
Get-WinEvent -FilterHashtable @{LogName = 'System';ID='5719'} | ForEach-Object -Process {New-Object -TypeName PSObject -Property @{'TimeCreated'=$_.TimeCreated;'TrustedDomainName'=$_.properties[0].Value}}
Get EventLog Event Details Content PowerShell – End Result
Then you can export it or treat it as any other PowerShell object as usual.
Conclusion
This process will work on any type of event. You can even use the console to see the properties with the XML view of the event:
Event XML View
The good bits are in the “EventData” section. This is the same information we saw when we expanded the “properties” property from the event with PowerShell.