How to convert Event Viewer data to XML for filtration and get rid of DocumentElement node error?
There was an answer posted here to one of my questions: https://stackoverflow.com/a/74994896/20682592
the code is this:
$a = Get-WinEvent @{ LogName='Security' } -maxevents 1
$xml = [xml]$a.toxml()
$xml.event.eventdata.data
what I want to do is to show all the events in the Security log with ID 5152 and then filter out the output of it based on filter origin value.
so I changed it to this:
$a = Get-WinEvent @{ LogName='Security'; Id=5152; }
$xml = [xml]$a.toxml()
$xml.event.eventdata.data | Where-Object {$_.FilterOrigin -ne "Stealth"}
but it doesn't work like I want, doesn't filter out events whose filterOrigin is Stealth and also gives me this error:
InvalidArgument: untitled:Untitled-3:3:1
Line |
3 | $xml = [xml]$a.toxml()
| ~~~~~~~~~~~~~~~~~~~~~~
| Cannot convert value "System.Object[]" to type "System.Xml.XmlDocument". Error: "This document already has a 'DocumentElement' node."
the original answer posted in there also shows the same error if I remove -maxevents 1 which I need to do because I don't want to only see 1 event.
how can I make it work?
Update, using Theo comment, I managed to do this:
foreach ($event in (Get-WinEvent -FilterHashtable @{LogName='Security';ID=5152})) {
$xml = [xml]$event.toxml();
$xml.event.eventdata.data | Where-Object {$_.FilterOrigin -ne "Stealth" -or $_.FilterOrigin -ne "Unknown" } | ft -wrap
}
but it's not filtering out FilterOrigins Stealth and Unknown. what am i missing here?
Since you want the name/#text pairs to be an object instead, here's a way to convert it. I'm using the where-object form without the curly braces. The -notmatch regex expression pipe symbol means "or". This way you can treat all the data as one group.
foreach ($event in Get-WinEvent -FilterHashtable @{LogName='Security'}) {
$xml = [xml]$event.toxml();
$xml.event.eventdata.data |
foreach { $hash = @{} } { $hash[$_.name] = $_.'#text' } { [pscustomobject]$hash } |
Where FilterOrigin -notmatch 'stealth|unknown|query user|default'
}
- Dom namespace issue
- XML comments and "--"
- Adding a line break in xs:documentation for a xsd schema
- When does Excel surround sheet names with single quotes in workbook.xml (or other xml) files?
- How to import Wikipedia XML dump into MongoDB?
- Application cannot be installed because of multiple FileProviders
- How to convert a .nfo file to .fff file
- How to create custom Insert menu items in dreamweaver?
- XPath for colspan attribute values as browser understands them?
- How to configure custom MediaType in Spring MVC?
- Converting accented characters in varchar() to XML causing "illegal XML character"
- XML transformation - duplicate node and concat string to existing tag values
- Find everything between two XML tags with RegEx
- XSLT replace function in Firefox
- Trying to use the DOMParser with node js
- Logging custom elements Zend Log Formatter XML
- Parse XML in Haskell
- How to simplify xml so it isn't so long in the <BuildVerification> tag area
- Cannot get SOAP envelope body using Retrofit 2 and Simple XML Converter
- ElementTree findall() returning empty list
- How to use getElement while parsing xml in Flutter
- With Python, fetch in Excel file the value of a cell in a row where a cell in the same row contains the character string from an xml file
- TestNG XML configuration file DTD "test" tag error
- xpath expression not working in Logic Apps
- validating a xml doc in groovy
- How to rename a file in C#
- How to add facebook's new comment system to blogger?
- Order of XML nodes from document preserved in insert?
- Change dot color selection field
- Difference between description and content:encoded tags in RSS2