Ask : Filtering event log using event data

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Matt Bloomfield Matt Bloomfield 3 months ago.

  • Author
    Posts
  • #69651
    Profile photo of ynz
    ynz
    Participant

    Hi all,
    i wanna ask about filtering event log in windows 7 using powershell.

    i have allready searching about it, but usually people filtering just using general information such as logname, keywords, event id and etc.

    the thing is i wanna filtering using access list, and combine it with event id
    for example about access list like picture below :
    example access list

    i really appreciate all suggestion and help,
    thank in advance

  • #69739
    Profile photo of Roy Atkins
    Roy Atkins
    Participant

    You'll need to use Get-WinEvent. I can't see the log or full provider name, so I'll use another example.

    You can use a variety of filters in the hash, including id=, logname=, etc. to get the events you're after. I'm using a date.

    Get-WinEvent -FilterHashTable @{ProviderName='Service Control Manager'; StartTime=""} |
       % {([xml]$_.ToXml()).Event.EventData.Data}
    
  • #69715
    Profile photo of Matt Bloomfield
    Matt Bloomfield
    Participant

    Ashely McGlone (GoateePFE) has posted some really excellent content on Event Log filtering:

    TechNet Blogs

    Microsoft Virtual Academy
    Skip to the Forensic Investigations and Lockouts section, then Event Logs

You must be logged in to reply to this topic.