We're using teh Get-WinEvent powershell commandlet and filtering using filterxpath which we can get more info on from here: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent
The Basics
Filter by Event ID:
*/System/EventID=<ID>Filter by XML Attribute/Name:
*/EventData/Data[@Name="<XML Attribute/Name>"]Filter by Event Data:
*/EventData/Data=<Data>Opening an external Event log file
Get-WinEvent -path [path to event log file]Opening a local event log area
Get-WinEvent -LogName Microsoft-Windows-PrintService/AdminFiltering The Data
If you want to filter events but you're not sure how to - visit the event log GUI, click an event and then look at the detail XML portion to build out the query.
Filtering by EventID
Get-WinEvent -Path [path to event log file] Application -FilterXPath '*/System/EventID=100'or
Get-WinEvent -LogName Microsoft-Windows-PrintService/Admin -FilterXPath ‘*/System/EventID=808’Filtering using hashtables by ID and keywords (IMO this is way easier that XPath queries)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'or (note you can use wildcards (*) in this option too) - I find this functions better than the above but you don't get the hashtables filtering.
Get-WinEvent -Path [path to event log file] | Where-Object{$_.Message -like '[string]'}to see the full data on this you can enumerate the properties of the items it finds by piping that - using Message instead of the * below will give you JUST the message area that you might be looking for.
Get-WinEvent -Path [path to event log file] | Where-Object{$_.Message -like '[string]'} | Select-Object -Property *Display just the process ID
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property ProcessID
Yorumlar