en-US/EventLogConverter-help.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
<?xml version="1.0" encoding="utf-8"?>
<helpItems schema="maml" xmlns="http://msh">
  <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
    <command:details>
      <command:name>ConvertTo-EvtObject</command:name>
      <command:verb>ConvertTo</command:verb>
      <command:noun>EvtObject</command:noun>
      <maml:description>
        <maml:para>This cmdlet converts Event objects into flat Evt objects</maml:para>
      </maml:description>
    </command:details>
    <maml:description>
      <maml:para>This cmdlet takes input of standard event records as produced by Get-WinEvent or the XML output from Windows event viewer and converts them into a flatter object structure that is easier to query and to extract data from.</maml:para>
    </maml:description>
    <command:syntax>
      <command:syntaxItem>
        <maml:name>ConvertTo-EvtObject</maml:name>
        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="none">
          <maml:name>InputObject</maml:name>
          <maml:Description>
            <maml:para>A standard Windows Event Log record, such as the output from Get-WinEvent or the XML output from Windows event viewer.</maml:para>
          </maml:Description>
          <command:parameterValue required="true" variableLength="false">Object[]</command:parameterValue>
          <dev:type>
            <maml:name>Object[]</maml:name>
            <maml:uri />
          </dev:type>
          <dev:defaultValue>None</dev:defaultValue>
        </command:parameter>
      </command:syntaxItem>
    </command:syntax>
    <command:parameters>
      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="none">
        <maml:name>InputObject</maml:name>
        <maml:Description>
          <maml:para>A standard Windows Event Log record, such as the output from Get-WinEvent or the XML output from Windows event viewer.</maml:para>
        </maml:Description>
        <command:parameterValue required="true" variableLength="false">Object[]</command:parameterValue>
        <dev:type>
          <maml:name>Object[]</maml:name>
          <maml:uri />
        </dev:type>
        <dev:defaultValue>None</dev:defaultValue>
      </command:parameter>
    </command:parameters>
    <command:inputTypes>
      <command:inputType>
        <dev:type>
          <maml:name>System.Object[]</maml:name>
        </dev:type>
        <maml:description>
          <maml:para></maml:para>
        </maml:description>
      </command:inputType>
    </command:inputTypes>
    <command:returnValues>
      <command:returnValue>
        <dev:type>
          <maml:name>System.Object</maml:name>
        </dev:type>
        <maml:description>
          <maml:para></maml:para>
        </maml:description>
      </command:returnValue>
    </command:returnValues>
    <maml:alertSet>
      <maml:alert>
        <maml:para></maml:para>
      </maml:alert>
    </maml:alertSet>
    <command:examples>
      <command:example>
        <maml:title>-------------------------- Example 1 --------------------------</maml:title>
        <dev:code>PS C:\&gt; [xml]$events = Get-Content C:\Users\User\Desktop\eventexport.xml
PS C:\&gt; ConvertTo-EvtObject $events
 
ProviderName : Microsoft-Windows-Security-Auditing
ProviderGuid : {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID : 4624
Version : 2
Level : 0
Task : 12544
Opcode : 0
Keywords : 0x8020000000000000
TimeCreatedSystemTime : 2019-06-06T09:54:39.488885200Z
EventRecordID : 245041
CorrelationActivityID : {D8BF886D-19F4-0000-8288-BFD8F419D501}
ExecutionProcessID : 584
ExecutionThreadID : 2760
Channel : Security
Computer : WIN-90CID1J2CS5.carisbrookelabs.local
SubjectUserSid : S-1-0-0
SubjectUserName : -
SubjectDomainName : -
SubjectLogonId : 0x0
TargetUserSid : S-1-5-18
TargetUserName : WIN-90CID1J2CS5$
TargetDomainName : CARISBROOKELABS.LOCAL
TargetLogonId : 0x1c8cb49
LogonType : 3
LogonProcessName : Kerberos
AuthenticationPackageName : Kerberos
WorkstationName : -
LogonGuid : {1B89B270-CD8E-CD3F-22E5-1DB88383FB10}
TransmittedServices : -
LmPackageName : -
KeyLength : 0
ProcessId : 0x0
ProcessName : -
IpAddress : fe80::7180:bb16:703d:28ca
IpPort : 52564
ImpersonationLevel : %%1840
RestrictedAdminMode : -
TargetOutboundUserName : -
TargetOutboundDomainName : -
VirtualAccount : %%1843
TargetLinkedLogonId : 0x0
ElevatedToken : %%1842</dev:code>
        <dev:remarks>
          <maml:para>In this example we exported a single event to an XML file from Windows event viewer and passed it to ConvertTo-EvtObject via a variable.</maml:para>
        </dev:remarks>
      </command:example>
      <command:example>
        <maml:title>-------------------------- Example 2 --------------------------</maml:title>
        <dev:code>PS C:\&gt; Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624]]" -MaxEvents 1 | ConvertTo-EvtObject
 
 
ProviderName : Microsoft-Windows-Security-Auditing
ProviderGuid : {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID : 4624
Version : 2
Level : 0
Task : 12544
Opcode : 0
Keywords : 0x8020000000000000
TimeCreatedSystemTime : 2019-06-06T09:54:39.488885200Z
EventRecordID : 245041
CorrelationActivityID : {D8BF886D-19F4-0000-8288-BFD8F419D501}
ExecutionProcessID : 584
ExecutionThreadID : 2760
Channel : Security
Computer : WIN-90CID1J2CS5.carisbrookelabs.local
SubjectUserSid : S-1-0-0
SubjectUserName : -
SubjectDomainName : -
SubjectLogonId : 0x0
TargetUserSid : S-1-5-18
TargetUserName : WIN-90CID1J2CS5$
TargetDomainName : CARISBROOKELABS.LOCAL
TargetLogonId : 0x1c8cb49
LogonType : 3
LogonProcessName : Kerberos
AuthenticationPackageName : Kerberos
WorkstationName : -
LogonGuid : {1B89B270-CD8E-CD3F-22E5-1DB88383FB10}
TransmittedServices : -
LmPackageName : -
KeyLength : 0
ProcessId : 0x0
ProcessName : -
IpAddress : fe80::7180:bb16:703d:28ca
IpPort : 52564
ImpersonationLevel : %%1840
RestrictedAdminMode : -
TargetOutboundUserName : -
TargetOutboundDomainName : -
VirtualAccount : %%1843
TargetLinkedLogonId : 0x0
ElevatedToken : %%1842</dev:code>
        <dev:remarks>
          <maml:para>In this example we extract a single 4624 event from the security log and pass it to ConvertTo-EvtObject over the pipeline.</maml:para>
        </dev:remarks>
      </command:example>
    </command:examples>
    <command:relatedLinks />
  </command:command>
</helpItems>