powershell: get-winevent has no message data?
When I run the script below to retrieve log files, the get-winevent "message" field is blank, but has data if I run get-eventlog. Any ideas why?
#has message data
Get-Eventlog -LogName application -Newest 10
#date 10 days ago
$EventStartDate = get-date("10 May 2012")
$EventEndDate = get-date("11 May 2012")
$EventLogNames = @("Application", "system")
#critea for winevent
$EventCritea = @{logname = $EventLogNames; StartTime=$EventStartDate; EndTime=$EventEndDate}
#Retrieves the event log
$RetreivedEvents = Get-WinEvent -computername localhost -FilterHashtable $EventCritea
$RetreivedEvents | fl id, logname, MachineName, Message, TimeCreated
Answer
What locale are you running under?
There is a .NET bug where the underlying .NET method (that Get-WinEvent uses) fails to populate localised fields (like Message) in some locales (like en-GB).
Fix is to switch to en-US for the command:
$orgCulture = Get-Culture
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
# Perform Get-WinEvent
[System.Threading.Thread]::CurrentThread.CurrentCulture = $orgCulture