I am exporting windows Application event logs to XML from one of my servers for offline analysis. I am able to do this…but when I do, I lose the "General" description information. Here is an example event. In the windows event log viewer, it displays the following as a general description:
Application 'C:\Program Files (x86)\Mountain Duck\Mountain Duck.exe'
(pid 2940) cannot be restarted – Application SID does not match
Conductor SID..
However when I export to XML, this is all I get:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-RestartManager' Guid='{0888E5EF-9B98-4695-979D-E92CE4247224}'/>
<EventID>10010</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2016-04-07T20:00:10.245609600Z'/>
<EventRecordID>6889</EventRecordID>
<Correlation/>
<Execution ProcessID='3868' ThreadID='4016'/>
<Channel>Application</Channel>
<Computer>WIN-8S18ONBFAEP</Computer>
<Security UserID='S-1-5-21-3589301003-3870519012-1491501718-500'/>
</System>
<UserData>
<RmUnsupportedRestartEvent xmlns='http://www.microsoft.com/2005/08/Windows/Reliability/RestartManager/'>
<RmSessionId>0</RmSessionId>
<Pid>2940</Pid>
<FullPath>C:\Program Files (x86)\Mountain Duck\Mountain Duck.exe</FullPath>
<DisplayName>Mountain Duck</DisplayName>
<AppVersion>0</AppVersion>
<AppType>0</AppType>
<TSSessionId>2</TSSessionId>
<Status>67108865</Status>
<Reason>1</Reason>
</RmUnsupportedRestartEvent>
</UserData>
</Event>
Is there any way to include the descriptive text when saving event logs? I've tried every search I can think of, and can't seem to find anything.
Best Answer
Powershell