Advance query of windows event log

Question

I have an eventlog entry and wouidl like to query "Security UserID" to retrieve it's value. Is this possible? preferrably using powershell

Log Name:      Application
Source:        EventCreate
Date:          26/08/2014 10:17:21
Event ID:      4
Task Category: None
Level:         Information
Keywords:      Classic
User:          DOMAIN\UserName
Computer:      COMPUTERNAME
Description:
This is a test
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="EventCreate" />
    <EventID Qualifiers="0">4</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-08-26T09:17:21.000000000Z" />
    <EventRecordID>570080</EventRecordID>
    <Channel>Application</Channel>
    <Computer>COMPUTERNAME</Computer>
    <Security UserID="S-1-5-21-xxxxxxxxxxxxxxxxxxxxxx" />
  </System>
  <EventData>
    <Data>Process Started</Data>
  </EventData>
</Event>

answer below is what I have found but would like to know if this information can be retrieved via get-eventlog — user3082478, Aug 26 '14 at 10:35

score 2 · Answer 1 · answered Aug 26 '14 at 10:31

There probably is a much better way to do this. But this works for me as I have the EventRecordID from another source. If anyone has a better way please post it.

$query = @"
<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(EventRecordID=570080)]]</Select>
  </Query>
</QueryList>
"@

$evt1 = [xml](Get-WinEvent -FilterXml $query ).toXML()
$evt1.event.System.Security

score 1 · Accepted Answer · answered Aug 26 '14 at 10:58

1

(Get-WinEvent -LogName 'Application' | Select -First 1).UserId.Value

answered Aug 26 '14 at 10:58

ojk

2,502
15
17

Advance query of windows event log

2 Answers2