Trying to query archived event logs, not working but I do not see why

Welcome Forums General PowerShell Q&A Trying to query archived event logs, not working but I do not see why

This topic contains 1 reply, has 2 voices, and was last updated by

 
Keymaster
6 months ago.

  • Author
    Posts
  • #102208

    Participant
    Points: 1
    Rank: Member

    Here is the situation, when I try to query more than one event, I get no results, yet I know that there are matching events.

     invoke-command -cn ( Get-ADComputer -filter * -searchBase "ou=Domain Controllers,dc=Domain,dc=corp" | Select-Object -expand Name ) -scriptblock { Get-WinEvent -FilterHashtable @{Path="C:\windows\system32\winevt\Logs\*Security*";id= 4720,4738,4722;StartTime="6/04/2018";EndTime="6/08/2018"} | Export-CSV c:\Users\admin\Desktop\resultJC.csv}
    

    Is there an issue with the FilterHashtable? I cannot really set a variable with the event ID's as I am using invoke-command so the variable would not pass to the remote servers.

    If I run one ID at a time, it works fine. If I try more than one, I get the error that there are no matching events. Would appreciate any ideas on an efficient way to do this. I have 12 DC's and I want to query all the archives with one shot, not have to run each Event ID individually.
    Thanks

  • #102283

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    The docs say that ID accepts an array, but not how to specify one. If 1,2,3 isn't it, then try (1,2,3); if that still isn't cutting it, then the underlying provider might not actually want an array. I know -FilterXML provides a lot more flexibility than -FilterHashtable, so you might try using that syntax instead.

    I do know the underlying API places limits on what kinds of queries it'll execute. It may be faster, from the API's perspective, to do individual queries for each event ID rather than bundling several together. Given that the underlying log is often in some godawful XML format, managing "OR" queries for multiple event IDs might be pretty intensive.

The topic ‘Trying to query archived event logs, not working but I do not see why’ is closed to new replies.