Author Posts

June 10, 2018 at 10:48 pm

Here is the situation, when I try to query more than one event, I get no results, yet I know that there are matching events.

 invoke-command -cn ( Get-ADComputer -filter * -searchBase "ou=Domain Controllers,dc=Domain,dc=corp" | Select-Object -expand Name ) -scriptblock { Get-WinEvent -FilterHashtable @{Path="C:\windows\system32\winevt\Logs\*Security*";id= 4720,4738,4722;StartTime="6/04/2018";EndTime="6/08/2018"} | Export-CSV c:\Users\admin\Desktop\resultJC.csv}

Is there an issue with the FilterHashtable? I cannot really set a variable with the event ID's as I am using invoke-command so the variable would not pass to the remote servers.

If I run one ID at a time, it works fine. If I try more than one, I get the error that there are no matching events. Would appreciate any ideas on an efficient way to do this. I have 12 DC's and I want to query all the archives with one shot, not have to run each Event ID individually.
Thanks

June 11, 2018 at 5:32 pm

The docs say that ID accepts an array, but not how to specify one. If 1,2,3 isn't it, then try (1,2,3); if that still isn't cutting it, then the underlying provider might not actually want an array. I know -FilterXML provides a lot more flexibility than -FilterHashtable, so you might try using that syntax instead.

I do know the underlying API places limits on what kinds of queries it'll execute. It may be faster, from the API's perspective, to do individual queries for each event ID rather than bundling several together. Given that the underlying log is often in some godawful XML format, managing "OR" queries for multiple event IDs might be pretty intensive.