Author Posts

January 29, 2016 at 6:30 am

Hello,

On Comp1 i have ForwardedEvents grabbed from remote Comp2.

Get-WinEvent -computername Comp2 -FilterHashtable @{logname='Security';id=4776}
Get-WinEvent -FilterHashtable @{logname='ForwardedEvents';id=4776}

So, these two lines of code return the same event record (one from remote machine Comp2 and one from ForwardedEvents logname on local machine Comp1).

But if I need to get all the "Audit Failure" events from remote host, I use:

Get-WinEvent -ComputerName Comp2 -FilterHashtable @{LogName='Security';Keywords=4503599627370496}

If i use the same way but for local ForwardedEvents logname, i get error:

PS C:\> Get-WinEvent -FilterHashtable @{LogName='ForwardedEvents';Keywords=4503599627370496}
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashtable @{LogName='ForwardedEvents';Keywords=4503599627370 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

My question is: If there is a way to filter logname ForwardedEvents with FilterHashTable with Keywords parameter to get "Audit Failure" events?

P.S. Yes, I'm still able to use "Invoke-command -computername" and "get-winevent -computername", but these both types take longer to get result back, and in my experience using FilterHashTable returns result faster.

Thanks,

January 29, 2016 at 2:41 pm

I'm honestly not sure. What you're running into is less a PowerShell thing than you might think; the filter hash isn't being processed by the shell, it's just being passed to the underlying log architecture. The reason that's good to know is it might be worth diving into MSDN to look at the underlying .NET code documentation – you might come up with more details, there.

But I've seen problems before with ForwardedEvents, where the filtering doesn't seem to behave the same way. And I noticed you asked on Ed's blog, too, so we'll see if he has any ideas.