Powershell Get-WinEvent -LogName ForwardedEvents

Welcome Forums General PowerShell Q&A Powershell Get-WinEvent -LogName ForwardedEvents

This topic contains 1 reply, has 2 voices, and was last updated by

3 years, 4 months ago.

  • Author
  • #34546

    Topics: 2
    Replies: 1
    Points: 0
    Rank: Member


    On Comp1 i have ForwardedEvents grabbed from remote Comp2.

    Get-WinEvent -computername Comp2 -FilterHashtable @{logname='Security';id=4776}
    Get-WinEvent -FilterHashtable @{logname='ForwardedEvents';id=4776}

    So, these two lines of code return the same event record (one from remote machine Comp2 and one from ForwardedEvents logname on local machine Comp1).

    But if I need to get all the "Audit Failure" events from remote host, I use:

    Get-WinEvent -ComputerName Comp2 -FilterHashtable @{LogName='Security';Keywords=4503599627370496}

    If i use the same way but for local ForwardedEvents logname, i get error:

    PS C:\> Get-WinEvent -FilterHashtable @{LogName='ForwardedEvents';Keywords=4503599627370496}
    Get-WinEvent : No events were found that match the specified selection criteria.
    At line:1 char:1
    + Get-WinEvent -FilterHashtable @{LogName='ForwardedEvents';Keywords=4503599627370 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
        + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

    My question is: If there is a way to filter logname ForwardedEvents with FilterHashTable with Keywords parameter to get "Audit Failure" events?

    P.S. Yes, I'm still able to use "Invoke-command -computername" and "get-winevent -computername", but these both types take longer to get result back, and in my experience using FilterHashTable returns result faster.


  • #34578

    Topics: 13
    Replies: 4872
    Points: 1,813
    Helping HandTeam Member
    Rank: Community Hero

    I'm honestly not sure. What you're running into is less a PowerShell thing than you might think; the filter hash isn't being processed by the shell, it's just being passed to the underlying log architecture. The reason that's good to know is it might be worth diving into MSDN to look at the underlying .NET code documentation – you might come up with more details, there.

    But I've seen problems before with ForwardedEvents, where the filtering doesn't seem to behave the same way. And I noticed you asked on Ed's blog, too, so we'll see if he has any ideas.

The topic ‘Powershell Get-WinEvent -LogName ForwardedEvents’ is closed to new replies.