CODEWITHSUNDEEP
windowspowershelleventsloggingevent-log
DarkLite1
DarkLite1

Reputation: 14745

Can't query the Windows Event Log 'Forwarded Events' with dates

We're trying to create a PowerShell function to query the Windows Event Log for events that happened between two dates. The following code works fine when querying a custom log or a standard log:

$FilterXML = @"
<QueryList>
    <Query Id="0" Path='$LogName'>
        <Select Path='$LogName'>
            *[System[TimeCreated[@SystemTime&gt;='2017-04-17T09:48:24.000Z' and 
            @SystemTime&lt;='2017-04-19T09:50:24.999Z']]]
        </Select>
    </Query>
</QueryList>
"@
Get-WinEvent -FilterXml $FilterXML

We've set up our Windows Server 2012 to collect events from other servers, like a Windows Server 2008 R2. When checking the events in the Event Viewer we can see that they are available in the log Forwarded Events. When querying them without a date in the GUI or in PowerShell this works perfectly fine.

However. when we want to query that same 'Forwarded Events' log in the GUI or in PowerShell by adding a date From and a date To selection, it's simply saying there are no matches found. Which is incorrect because when we check these events they all have the TimeCreated property with a date that is between those dates.

Get-WinEvent : No events were found that match the specified selection criteria.

When running the same query on the source computer where the events are created it works fine with the dates. On the Collector server, when selecting only events from the last 7 days or 24 hours, this works fine too. So it has something to do with the forwarding of the events and the DateTime object in them I guess. We've checked Regional Settings on both server, they are the same Dutch (Belgium) for date formats.

Example event where the date can't be used:

Message              : johofman - Script ended
Id                   : 199
Version              : 
Qualifiers           : 0
Level                : 4
Task                 : 1
Opcode               : 
Keywords             : 36028797018963968
RecordId             : 768
ProviderName         : My script name
ProviderId           : 
LogName              : My log name
ProcessId            : 
ThreadId             : 
MachineName          : SERVER.domain.net
UserId               : 
TimeCreated          : 19/04/2017 16:02:56
ActivityId           : 
RelatedActivityId    : 
ContainerLog         : c:\windows\system32\winevt\logs\forwardedevents.evtx
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Info
TaskDisplayName      : 
KeywordsDisplayNames : {Classic}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty}

Is there a reason why this is working for all Event Logs but not for Forwarded Events?

Event Logging has been configured as described here.

Thank you for your help.

Upvotes: 0

Views: 2690

Answers (1)

Micky Balladelli
Micky Balladelli

Reputation: 10001

How about trying with -filterHashTable ? For example:

$filter = @{ 
                    Path   = "$env:SystemRoot\System32\Winevt\Logs\ForwardedEvents.evtx"
                    StartTime = get-date '2017-04-17T09:48:24.000Z'
                    EndTime   = get-date '2017-04-19T09:50:24.999Z'                  
                    }

Then 

$events = Get-WinEvent -FilterHashtable $filter

Upvotes: 0

Related Questions