I'm trying to figure it out how to read Event ID 1085 in Event Viewer - Details - EventData - DCName
I can read from the System part of the XML but I cannot figure out how to read from EventData
So far I have
$filter = @{
LogName = 'System'
ID=1085
}
[xml[]]$xml = Get-WinEvent -filterHashTable $filter -MaxEvents 10 -ComputerName SERVER | %{$_.ToXml()}
$events = $xml | Select-Xml '//x:Event' -Namespace @{ x = 'http://schemas.microsoft.com/win/2004/08/events/event' } | Select-Object -ExpandProperty Node
$events.System.Computer <# -- This works #>
$events.EventData.DCName <# -- This is not working #>
Any advice would be much appreciated.
Thank you
To get the DCName, you have to dig a little deeper in the XML:
$result = Get-WinEvent -FilterHashtable @{LogName = 'System'; ID=1085} -MaxEvents 10 -ComputerName SERVER | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# output a PsCustomObject to collect $result
[PsCustomObject]@{
Computer = $eventXml.System.Computer
DCName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'DCNAME' }).'#text'
}
}
# output on screen
$result
$eventXml.EventData.Data returns an array of nodes and you are interested in the one that has DCName in its Name attribute, so we need to filter with a Where-Object clause