Trying to query archived event logs, not working but I do not see why

This topic contains 1 reply, has 2 voices, and was last updated by  Don Jones 1 week, 4 days ago.

  • Author
  • #102208


    Here is the situation, when I try to query more than one event, I get no results, yet I know that there are matching events.

     invoke-command -cn ( Get-ADComputer -filter * -searchBase "ou=Domain Controllers,dc=Domain,dc=corp" | Select-Object -expand Name ) -scriptblock { Get-WinEvent -FilterHashtable @{Path="C:\windows\system32\winevt\Logs\*Security*";id= 4720,4738,4722;StartTime="6/04/2018";EndTime="6/08/2018"} | Export-CSV c:\Users\admin\Desktop\resultJC.csv}

    Is there an issue with the FilterHashtable? I cannot really set a variable with the event ID's as I am using invoke-command so the variable would not pass to the remote servers.

    If I run one ID at a time, it works fine. If I try more than one, I get the error that there are no matching events. Would appreciate any ideas on an efficient way to do this. I have 12 DC's and I want to query all the archives with one shot, not have to run each Event ID individually.

  • #102283

    Don Jones

    The docs say that ID accepts an array, but not how to specify one. If 1,2,3 isn't it, then try (1,2,3); if that still isn't cutting it, then the underlying provider might not actually want an array. I know -FilterXML provides a lot more flexibility than -FilterHashtable, so you might try using that syntax instead.

    I do know the underlying API places limits on what kinds of queries it'll execute. It may be faster, from the API's perspective, to do individual queries for each event ID rather than bundling several together. Given that the underlying log is often in some godawful XML format, managing "OR" queries for multiple event IDs might be pretty intensive.

You must be logged in to reply to this topic.