Log search working in Windows 7 but not in Windows 10

Welcome Forums General PowerShell Q&A Log search working in Windows 7 but not in Windows 10

This topic contains 3 replies, has 2 voices, and was last updated by

 
Participant
1 month, 3 weeks ago.

  • Author
    Posts
  • #167428

    Participant
    Topics: 17
    Replies: 27
    Points: 22
    Rank: Member

    Windows 7 x64   PSVersion 5.1.1.14409.1018 – below runs with no issues

    $cmp = 'localhost'
    
    $time = (Get-Date) - (new-timeSpan -day 2)
    
    $events = Get-WinEvent -cn $cmp -FilterHashtable @{ logname = '*'; level = 1, 2, 3, 4; starttime = $time }
    

    Windows 10 x 64 PSVersion 5.1.16299.1146 – the above won't run, I am missing something here –

    Get-WinEvent : The data is invalid
    At line:7 char:11
    + $events = Get-WinEvent -cn $cmp -FilterHashtable @{ logname = '*'; le ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogInvalidDataException
    + FullyQualifiedErrorId : The data is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand
    

    It appears the filtering can no longer deal with the logname='*'

    Appreciate any pointers

  • #167446

    Senior Moderator
    Topics: 8
    Replies: 1041
    Points: 3,439
    Helping Hand
    Rank: Community Hero

    Yup, it doesn't accept * in Win 7

  • #167584

    Participant
    Topics: 17
    Replies: 27
    Points: 22
    Rank: Member

    I have knocked this together – it seems to be doing the trick – I'll refine and push on – cheers

    $cmp='localhost'

    $time = (Get-Date) – (new-timeSpan -hour 1)

    $Events=Get-WinEvent -filterhashtable @{Logname = ($LogName=(Get-WinEvent -ListLog * -ComputerName $cmp| where {$_.recordcount -gt 0} | Select-Object -ExpandProperty LogName)); starttime = $time}

    $Events | select-object -property TimeCreated, Providername, LogName, ID, Message | Sort-Object -Property TimeCreated -Descending | Export-Csv "c:\temp\$cmp.csv"

  • #168622

    Participant
    Topics: 17
    Replies: 27
    Points: 22
    Rank: Member

    Just posting what I am now using on W10-1709 – seems to work well and plenty of scope to refine the details returned

    $time = (Get-Date) – (new-timeSpan -hour 5)
    $EventLogNames = (Get-WinEvent -ListLog * -ComputerName $cmp | where { $_.recordcount -gt 0 } | select-object -ExpandProperty LogName)

    Get-WinEvent -FilterHashtable @{ LogName = $EventLogNames; starttime = $time } -ComputerName $cmp |
    select-object -property TimeCreated, Providername, LogName, ID, @{ n = "Error Level"; e = { switch ($_.level) { "1"{ "Critical" } "2"{ "Error" } "3"{ "Warning" } "4"{ "Information" } } } }, @{ n = "Message"; e = { ($_.message).trim() } } |
    Sort-Object -Property TimeCreated -Descending

You must be logged in to reply to this topic.