Sometimes Subevents have fields within fields

Question

Sometimes Subevents have fields within fields

PrzemyslawKlys opened this issue 6 years ago · 0 comments

Sometimes SubEvents can have fields within fields.

Log Name:      Application
Source:        ADSync
Date:          22.02.2019 16:33:55
Event ID:      6946
Task Category: Management Agent Run Profile
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      ADConnect.ad.evotec.xyz
Description:
Internal Connector run settings: 
Connector name: ad.evotec.xyz
Domain (partition): DC=ad,DC=evotec,DC=xyz
Login User domain: ad.evotec.xyz
Login User name: MSOL_6f0d1d4965ec
Whistler mode: Yes
2008R2 mode: Yes
IsRecycleBinEnabled: No
ACL Security: Yes
Deleted Objects Container: CN=Deleted Objects,DC=ad,DC=evotec,DC=xyz

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ADSync" />
    <EventID Qualifiers="16384">6946</EventID>
    <Level>4</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-02-22T15:33:55.913603600Z" />
    <EventRecordID>244689</EventRecordID>
    <Channel>Application</Channel>
    <Computer>ADConnect.ad.evotec.xyz</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Internal Connector run settings: 
Connector name: ad.evotec.xyz
Domain (partition): DC=ad,DC=evotec,DC=xyz
Login User domain: ad.evotec.xyz
Login User name: MSOL_6f0d1d4965ec
Whistler mode: Yes
2008R2 mode: Yes
IsRecycleBinEnabled: No
ACL Security: Yes
Deleted Objects Container: CN=Deleted Objects,DC=ad,DC=evotec,DC=xyz
</Data>
  </EventData>
</Event>

While Data property was extracted by Get-Events and split using new line there is still question whether we should try and split that data based on: into a separate hash and put it as properties into Event. Same could be done with Message just in case.