0

I have xml file generated from server log, which contains nodes. These nodes can look both like <Version>0</Version> and <Data Name="LogonType">3</Data>. I have xml loaded into $xmlData variable. When I try to access former, $xmlData.Event.System.Version it displays 0(=correct). But if I try to do that with latter, $xmlData.Event.EventData.LogonType, it does not display anything. How does one access the latter?

I did put the variable with loaded xml into foreach and cycled over it to find out names of the objects which it creates for foreach, so the name of the latter should be correct. This way you can get the data from it. How do you get data from the latter directly?

I have included an example of my xml file, but I was unable to format it into viewer friendly form(not one long line, enter broke the code).

<Event><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"/><EventID>4624</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2018-04-18T04:51:55.703563800Z"/><EventRecordID>585</EventRecordID><Correlation/><Execution ProcessID="640" ThreadID="5608"/><Channel>Security</Channel><Computer>Computer name</Computer><Security/></System><EventData><Data Name="SubjectUserSid">S-1-0-0</Data><Data Name="SubjectUserName">-</Data><Data Name="SubjectDomainName">-</Data><Data Name="SubjectLogonId">0x0</Data><Data Name="TargetUserSid">user-id</Data><Data Name="TargetUserName">UserAcc</Data><Data Name="TargetDomainName">DomainName</Data><Data Name="TargetLogonId">tlogId</Data><Data Name="LogonType">3</Data><Data Name="LogonProcessName">Nt </Data><Data Name="AuthenticationPackageName">NTLM</Data><Data Name="WorkstationName">WorkstationName</Data><Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="TransmittedServices">-</Data><Data Name="LmPackageName">NTLM V2</Data><Data Name="KeyLength">keyL</Data><Data Name="ProcessId">0x0</Data><Data Name="ProcessName">-</Data><Data Name="IpAddress">IpAddress</Data><Data Name="IpPort">IpPort</Data></EventData></Event>
Improve this question

1 Answer 1

Reset to default
1

"LogonType" is an attribute value, you can not access it like a node or an attribute.

If I understood the question correctly, you can use pipe and filter to read the value of the node data which name attribute value is "logontype" (tested with PowerShell 5) :

$xml = [xml]@"...your xml.."
$xml.Event.EventData.Data | ? Name -eq LogonType | % innertext
# output 3
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you, this is exactly what I needed. Would you mind explaining what is % innertext? The rest is clear to me.
% is an alias for ForEach-Object , for exemple, all this syntax produce the same output :Get-Process | ForEach-Object {$_.ProcessName} or Get-Process | % { $_.ProcessName } or Get-Process | % ProcessName
And in this case it was ForEach-Object from $xml.Event.EventData.Data | ? Name -eq LogonType. Yup, that's it, thanks a lot.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.