powershell: get-winevent doesn't have message data?

Question

powershell: get-winevent doesn't have message data?

When I run the script below to extract the log files, the "message" get-winevent field remains empty, but contains data if I run get-eventlog. Any ideas why?

#has message data Get-Eventlog -LogName application -Newest 10 #date 10 days ago $EventStartDate = get-date("10 May 2012") $EventEndDate = get-date("11 May 2012") $EventLogNames = @("Application", "system") #critea for winevent $EventCritea = @{logname = $EventLogNames; StartTime=$EventStartDate; EndTime=$EventEndDate} #Retrieves the event log $RetreivedEvents = Get-WinEvent -computername localhost -FilterHashtable $EventCritea $RetreivedEvents | fl id, logname, MachineName, Message, TimeCreated

+5

powershell event-log event-viewer

resolver101 May 10, '12 at 13:25

source share

6 answers

Richard · Answer 1 · 2012-07-09T14:44:57+0000

What locale do you work in?

There is a .NET error where the base .NET method (used by Get-WinEvent ) does not populate localized fields (e.g. Message ) in some locales (e.g. en-GB ).

Fix - switch to en-US for the command:

 $orgCulture = Get-Culture [System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US" # Perform Get-WinEvent [System.Threading.Thread]::CurrentThread.CurrentCulture = $orgCulture

Victor ashiedu · Answer 2 · 2014-11-27T09:29:38+0000

I believe this is due to the fact that messages are hidden in the property value. To display all messages, translate get-winevent into a select statement with the following expressions:

 @{Label='Messages';Expression={$_.properties.Value}}

If you want to display a specific message, for example, Logon Process (in security logs), use the expression:

 @{Label='Logon Process';Expression={$_.properties.Value[3]}}

Chadddada · Answer 3 · 2012-05-11T01:18:13+0000

I know that I saw how get-winevent did not work on Windows Server 2003 in the past when I tried it. Basically, the PS environment said get-winevent did not work in 2003. Then it could be PS v1, so I'm not sure if it was allowed with newer versions of PS: now I'm on 2K8 R2.

On my

Djarid · Answer 4 · 2012-07-09T12:19:18+0000

Which PSHost are you using?

I have a problem with PS V2.0 running on Windows 7, access to W2k8. If you run the Powershell console or inside PowerShell ISE, it retrieves all the data. However, if executed in the workspace or from PowerGUI (pro), it returns only a partial subset that does not include the Message property.

[EDIT] Richard post allows me to get around the problem, but it’s very strange, because the culture in the working console PS is “en-GB”, and the culture in the inactive PowerGui Script editor is “en-GB”, which only works if I change the culture to "en-US".

Freaky

Yasir · Answer 5 · 2014-01-02T16:45:55+0000

For me, the following line worked at the top of my script (taken from a Richards code snippet);

 [System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"

Patrick e · Answer 6 · 2018-04-13T16:34:04+0000

[PS 2.0] Note that changing the culture is only valid for the current pipeline. See Gotchas Culture

Thus, the command to temporarily change culture + get-winevent should be grouped either into a script block (enclosed in "{...}"), or on one line separated by ";".

I discovered this when I tried to use get-winevent in the syslog on Server 2008. Messages appeared blank and I needed to change the culture from nl-BE to en-US.

powershell: get-winevent doesn't have message data?

More articles: