Stack Overflow
Stack Overflow

Questions tagged [get-winevent]

Get-WinEvent is a powershell cmdlet that gets the events in an event log, or a list of the event logs, on the local or remote computers.

Get-WinEvent is a cmdlet that gets the events in an , or a list of the event logs, on the local or remote computers.

See also

74 questions
4
votes
0 answers

Understanding TargetLinkedLogonId and Paired Logon Sessions

Looking to understand the TargetLinkedLogonId added to the Security Audit event in Windows 10 (and the associated concept of paired logon sessions) ref: https://learn.microsoft.com/en-us/windows/device-security/auditing/event-4624 A console…
noah haibach
  • 81
  • 1
  • 4
3
votes
0 answers

PowerShell Get-WinEvent fails to return results when run from Invoke-Command

I believe Get-WinEvent has a bug when it runs within a PSSession As example, the code below fails to return any results $evt = Invoke-command -ComputerName computerX -ScriptBlock { Get-WinEvent -FilterHashtable @{ logname = 'System'; id =…
Javier Martinez
  • 31
  • 1
3
votes
1 answer

PowerShell, weird behaviour of Get-WinEvent -FilterHashTable ID and arrays

What I want to do? I run the Get-WinEvent function with -FilterHashTable supplying an array of interesting Event ID's for ID argument. $IDS =…
Michał Sacharewicz
  • 172
  • 2
  • 7
3
votes
1 answer

Powershell get-winevent filterxpath wildcard

I'm attempting to query a DNS log to see which local computer requested a website address that contains 38.93.53.202-in-addr.arpa-nettlinx.com. I don't know what form this will take in the logs, and filtering using the event log is getting me…
Finch
  • 75
  • 8
3
votes
1 answer

Selecting specific lines/data from Get-Winevent message in powershell

I am trying to extract a specific line from the message output of a get-winevent cmdlet and haven't been able to find a way to do this (I could be searching incorrectly but am still learning more advanced scripting methods). What I am running is…
Coding-Enthusiast
  • 35
  • 1
  • 8
2
votes
1 answer

PowerShell - Grabbing user from security.etvx files

I'm not use to using PowerShell at all but so far I have the following code to grab a 4625 event Get-WinEvent -MaxEvents 1 -FilterHashtable…
tjw
  • 123
  • 2
  • 10
2
votes
1 answer

EventLogPropertySelector Not Returning Extended Data From Event Object In PowerShell

My short term goal is to gather event IDs 40 and 42 with provider Microsoft-Windows-TerminalServices-LocalSessionManager from the log named Microsoft-Windows-TerminalServices-**LocalSessionManager/Operational then sort them based on the…
Michael Fisher
  • 25
  • 6
2
votes
1 answer

Powershell - Login/Logoff Events - Get-WinEvent vs Get-EventLog

I've been working on a script to pull logon/logoff history out of the Event logs. The issue is that almost every code example I found uses "Get-EventLog" which does work, but is extremely slow processing due to the event logs found on a server being…
HerrtheGeek
  • 51
  • 1
  • 5
2
votes
1 answer

Get-EventLog not parsing Message when run by SYSTEM user

Problem I am trying to schedule a job that monitors events on remote machines. I wrote the script based on the Get-EventLog command and it works properly when run by my account. But when I run the Get-EventLog as SYSTEM user, the .Message attribute…
Michał Sacharewicz
  • 172
  • 2
  • 7
2
votes
2 answers

Powershell - Get-WinEvent

I have been looking all over the place to just figure out what this "Level" means running Get-WinEvent. For example, Get-WinEvent –FilterHashtable @{logname=’application’; level=2; starttime=$time; id=20} What does level=2 represent here? The…
kyj
  • 31
  • 3
1
vote
1 answer

Get-WinEvent Multiple Servers

I am trying to run the following script $citrixServers = @('server1', 'server2' , 'server3') $time = (get-date).AddDays(-16) foreach ($citrixServer in $citrixServers) {'System' , 'Security' , 'Application'| ForEach-Object {Get-WinEvent -computerName…
tryingToLearn10
  • 13
  • 3
1
vote
3 answers

Get-WinEvent and Select-string filter line result

I´m trying to use get-winevent + select string to filter and get the IP from events 4625. After get-winevent I want to filter the results to show only "Source Network Address:" line, which will provide me the list of IP´s I need to block. Below is…
Aucesar
  • 25
  • 4
1
vote
1 answer

Where-Object Error When Passing Get-Content as Variable

First, my PS knowledge is very basic, so know that up front. I'm working on a basic script to search EventIDs in archived .evtx files and kick out "reports". The Where-Object queries are in .txt files stored in .\AuditEvents\ folder. I'm trying to…
nomen
  • 13
  • 3
1
vote
1 answer

get-winevent output to a file getting stored as binary

I am using get-winevent to convert an evtx log to .json file. Then I've send it to ELK. Get-WinEvent -Path .\log.evtx | ConvertTo-Json|Format-List | Out-File log.json The file looks like a normal string containing file on windows. But when I take it…
nav33n
  • 113
  • 9
1
vote
2 answers

Pulling Application and system event log in one query

I would like to search the eventlog with one simple query as opposed to going through the same ordeal twice. I simply want to search the eventlog for both application warnings and errors as well as the system log. I currently have it running but…
Listor
  • 93
  • 9
1
2 3 4 5