Powershell Get-WinEvent -LogName ForwardedEvents

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 8 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #34546
    Profile photo of Petr Poleshko
    Petr Poleshko
    Participant

    Hello,

    On Comp1 i have ForwardedEvents grabbed from remote Comp2.

    Get-WinEvent -computername Comp2 -FilterHashtable @{logname='Security';id=4776}
    Get-WinEvent -FilterHashtable @{logname='ForwardedEvents';id=4776}
    

    So, these two lines of code return the same event record (one from remote machine Comp2 and one from ForwardedEvents logname on local machine Comp1).

    But if I need to get all the "Audit Failure" events from remote host, I use:

    Get-WinEvent -ComputerName Comp2 -FilterHashtable @{LogName='Security';Keywords=4503599627370496}
    

    If i use the same way but for local ForwardedEvents logname, i get error:

    PS C:\> Get-WinEvent -FilterHashtable @{LogName='ForwardedEvents';Keywords=4503599627370496}
    Get-WinEvent : No events were found that match the specified selection criteria.
    At line:1 char:1
    + Get-WinEvent -FilterHashtable @{LogName='ForwardedEvents';Keywords=4503599627370 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
        + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
    

    My question is: If there is a way to filter logname ForwardedEvents with FilterHashTable with Keywords parameter to get "Audit Failure" events?

    P.S. Yes, I'm still able to use "Invoke-command -computername" and "get-winevent -computername", but these both types take longer to get result back, and in my experience using FilterHashTable returns result faster.

    Thanks,

    #34578
    Profile photo of Don Jones
    Don Jones
    Keymaster

    I'm honestly not sure. What you're running into is less a PowerShell thing than you might think; the filter hash isn't being processed by the shell, it's just being passed to the underlying log architecture. The reason that's good to know is it might be worth diving into MSDN to look at the underlying .NET code documentation – you might come up with more details, there.

    But I've seen problems before with ForwardedEvents, where the filtering doesn't seem to behave the same way. And I noticed you asked on Ed's blog, too, so we'll see if he has any ideas.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.