Author Posts

May 14, 2018 at 4:31 pm

I've a set of commands that I run against a set of servers using PSCustomObject to hold all the commands and then Invoke-Command to run them against the servers. One of the commands is Get-WinEvent and previously I used -FileterHashtable to apply filters but had chagned to -FilterXML so I can exclude particular EventId. But now I get no data returned when I run the script, only if I ran the command directly.

This works

$(Get-Winevent -Filterxml '*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]') | Select TimeCreated,Id,LevelDisplayName,Message

This doesn't

$GetData = {
[PSCustomObject]@{
        EventLog = $(Get-WinEvent -Filterxml '*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]' | Select TimeCreated , Id, LevelDisplayName, Message)
    }
}

Invoke-Command -ComputerName $Servers -ScriptBlock $GetData -ErrorAction SilentlyContinue

I used to use this, which did work

$GetData = {
[PSCustomObject]@{
        EventLog = $(Get-WinEvent -FilterHashtable @{logname='application'; level=1,2,3 ; StartTime=(Get-Date).AddDays(-1)} | Select TimeCreated , Id, LevelDisplayName, Message)
    }
}

Invoke-Command -ComputerName $Servers -ScriptBlock $GetData -ErrorAction SilentlyContinue

Where am i going wrong ?

May 16, 2018 at 12:00 am

The first line of code which you mentioned worked for you doesn't work for me. When I run

$(Get-Winevent -Filterxml '*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]') | Select TimeCreated,Id,LevelDisplayName,Message

I get an error

Get-WinEvent : Cannot bind parameter 'FilterXml'. Cannot convert value "*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 
86400000]]]*[System[(EventID=9245 or EventID=1008)]]" to type "System.Xml.XmlDocument". Error: "The specified node cannot be inserted as the valid child of this node, 
because the specified node is the wrong type."
At line:1 char:27
+ ...  -Filterxml '*[System[(Level=1  or Level=2 or Level=3) and TimeCreate ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-WinEvent], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.GetWinEventCommand

Looking at the help topic for "Get-WinEvent" it suggests that the -FilterXML parameter is looking for an XMLDocument object, but it appears you are feeding it a string.

-FilterXml
Uses a structured XML query to select events from one or more event logs.

Required? true
Position? 1
Default value None
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false

When attempting to assign the filter to a type casted variable I get the same error

[System.Xml.XmlDocument]$filter = '*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]'
$(Get-Winevent -Filterxml $filter)

Cannot convert value "*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]" to type 
"System.Xml.XmlDocument". Error: "The specified node cannot be inserted as the valid child of this node, because the specified node is the wrong type."
At line:1 char:1
+ [System.Xml.XmlDocument]$filter = '*[System[(Level=1  or Level=2 or L ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : MetadataError: (:) [], ArgumentTransformationMetadataException
    + FullyQualifiedErrorId : RuntimeException
 
Get-WinEvent : Cannot bind argument to parameter 'FilterXml' because it is null.
At line:2 char:27
+ $(Get-Winevent -Filterxml $filter )
+                           ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.GetWinEventCommand

It appears there is an issue in the formatting that XML doesn't care for, I am not certain exactly what it is, but hopefully this will help you narrow down and pinpoint the issue.

Just curious, why use Invoke-Command when Get-WinEvent uses the -ComputerName parameter?