0

I am reading a event log using a Powershell command like the 1 below:

get-winevent -Path "C:\Test.evtx" -oldest | convertto-xml -as Stream > "C:\Test.xml"

As you can see, I am storing the result in a XML file for later reading.

For few events in the event log, I need a special query as follows:

$evtWithoutMsg = get-winevent -Path "C:\Test.evtx" | Where-Object {($_.RecordId -eq 53593)}
$xmlThing = [xml]$evtWithoutMsg.toxml()
$msg = $xmlThing.Event.EventData.Data
$msg

My question is can I have this '$xmlThing.Event.EventData.Data' as a new node or something in the xml file output (test.xml) of the initial command?

ViV
  • 1,998
  • 8
  • 27
  • 54
  • It should be possible but it's way easier to either put it in a seprate xmlfile or save the whole event and extract the data when you need it. Can I ask why you can't extract it when you're going to use it? – Frode F. Jan 23 '13 at 08:28
  • @Graimer: Thanks for the reply.. I'm not sure how can I extract it from the environment I'm running it from. Well, I'm trying another approach -> to get rid of the variable like things, i.e. $evtWithoutMsg etc... I've come this far.. `[xml](get-winevent -Path "C:\Test.evtx" -oldest | Where-Object { ($_.RecordId -eq 53593)}).toxml()`.. can plz you help me further. – ViV Jan 23 '13 at 08:55
  • okey. there's no problem with using variables like you have done. I'm just trying to understand how the output should look like. How does your software read it? Did you plan to import it again with powershell and work with it? do you have a software that understands the schema powershell uses? `$msg` and the other events are different objecttypes, so putting them together seems strange. – Frode F. Jan 23 '13 at 14:42

0 Answers0