Filtering with XML in the Windows Event Viewer
You can perform custom XML search query to look for specific Event ID
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624) and (EventRecordID=2677922)]]
</Select>
</Query>Here is an example
Filtering Windows Events with XML in PowerShell
$xmlQuery = @'
>> <QueryList>
>> <Query Id="0" Path="Security">
>> <Select Path="Security">
>> *[System[(EventID=4624) and (EventRecordID=2677922)]]
>> </Select>
>> </Query>
>> </QueryList>
>> '@
Get-WinEvent -FilterXml $xmlQuery | Format-List *And to put it in syslog format so better analysis
$eventLogs = Get-WinEvent -FilterXml $xmlQuery | Select-Object *
foreach ($event in $eventLogs) {
>> $syslogFormat = @"
>> {
>> "timestamp": "$($event.TimeCreated.ToString("yyyy-MM-ddTHH-mm-ss.fffZ") -replace "`r`n", "\r\n\r\n")",
>> "event_id": "$($event.Id -replace "`r`n", "\r\n\r\n")",
>> "provider": "$($event.ProviderName -replace "`r\n", "\r\n\r\n")",
>> "record_id": "$($event.RecordId -replace "\s+", "\r\n\r\n")",
>> "message": "$($event.Message -replace "`r`n", "\r\n\r\n")"
>> }
>> "@
>> Write-Output $syslogFormat
>> }
>>Here is an output example: