2

I am trying to convert an event log file (.evtx) to xml using Power Shell (and later read this xml in a C# program). I am running the script 

get-winevent -Path "C:\test.evtx" -oldest | convertto-xml -as Stream > "C:\test.xml"

but the resultant xml file has many events whose 'Message' field is EMPTY. If I open the same .evtx in Windows Event viewer, I can see messages of all events.

Though this problem is reported and people have talked about it (here & here), I am unable to find a solution / workaround for this.

Can anyone please tell me if there is something new availlable on this issue or any information that might be helpful.

PS: I am using Power shell version 2.0.

Improve this question
2
  • You said in Windows Event viewer, I can see messages of all events... is there any special character (including comparison signs) in the messages that are missing in the XML?
    – Yannick Blondeau
    Commented Dec 4, 2012 at 12:55
  • @YannickBlondeau: Thanks for your comment. I can actually check if there are any special charecters in the messages, but I should say, the same event log is properly converted to XML (i.e. with no missing messages) on a different machine with 2008 R2 OS. Where as, on my Windows7 Machine, this issue is happening.
    – ViV
    Commented Dec 5, 2012 at 2:58

3 Answers 3

Reset to default
3

Maybe you forgot to mention the depth to which PowerShell should recurse into and create an XML representation of the Object, default value for depth is 1. Something like below should work

get-winevent -Path "C:\test.evtx" -oldest | convertto-xml -as Stream -depth 10 > "C:\test.xml"
Improve this answer
1

I noticed you said you wanted to read an eventlog in PS > xml to the process in C#. I'm just reading the .evtx files in C# directly:

class Program
    {
        static IEnumerable<EventLogRecord> LogRecordCollection(string filename, string xpathquery = "*")
        {
            var eventLogQuery = new EventLogQuery(filename, PathType.FilePath, xpathquery);

        using (var eventLogReader = new EventLogReader(eventLogQuery))
        {
            EventLogRecord eventLogRecord;

            while ((eventLogRecord = (EventLogRecord)eventLogReader.ReadEvent()) != null)
                yield return eventLogRecord;
        }
    }

    static void Main(string[] args)
    {
        var path = "file.evtx";
        var start = new DateTime(2013, 06, 26, 0, 0, 0);
        var end = new DateTime(2013, 06, 27, 0, 0, 0);
        var t = from l in LogRecordCollection(path)
               where l.TimeCreated > start
               && l.TimeCreated < end
               select l;
        foreach (var item in t)
        {
            var msg = item.Properties[0].Value.ToString();
            if (msg.Contains("[interesting key]"))
            {
                Console.Write(item.TimeCreated);
                Console.Write(";");
                Console.Write(item.TaskDisplayName);
                Console.Write(";");
                Console.Write(item.ProviderName);
                Console.Write(";");

                Console.Write(msg);
                Console.Write(";");
                Console.WriteLine();
            }

        }
        Console.Read();
    }
}
Improve this answer
0

Try this, tell me how it works. $Objects = get-WinEvent -Maxevents 10 |ConverTo-XML -NoTypeInformation $objects.Object|Select -ExpandProperty Property

EDIT: Sorry I forgot about the whole 'wanting it in a file'...

$Objects = get-WinEvent -Maxevents 10 |ConverTo-XML -NoTypeInformation -as Stream > C:\Test.xml

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.