Hello everbody,
im struggeling with custom views and filters for my eventlog. We have a central log server that stores eventlogs for our servers. The log-server is running windows server 2016 and the events from the subsciptions all get saved in the ForwardedEvents log. Some querys work in the GUI but not with powershell and if i try to filter for stuff in the "EventData" portion i get an error with invalid data.
Some examples:
I have a custom view in the eventviewer GUI that works fine there.
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*[System[(EventID=4688)]] and *[EventData[Data[@Name='SubjectUserName'] and (Data='testuser')]]</Select>
</Query>
</QueryList>
but if i try to get the information with a powershell command it doesnt work
$Filter = @'
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*[System[(EventID=4688)]] and *[EventData[Data[@Name='SubjectUserName'] and (Data='testuser')]]</Select>
</Query>
</QueryList>
'@
Get-WinEvent -FilterXml $Filter
i get about 50 messages that read
Get-WinEvent : The data is invalid
At C:\Users\testuser\Desktop\eventlog query.ps1:8 char:1
+ Get-WinEvent -FilterXml $Filter
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogInvalidDataException
+ FullyQualifiedErrorId : The data is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand
another example in the GUI:
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*[System[(EventID=4688)]]</Select>
<Suppress Path="ForwardedEvents">*[System[(EventID=4688)]] and *[EventData[Data[@Name='SubjectUserSid'] and (Data='S-1-5-18')]]</Suppress>
</Query>
</QueryList>
this query works fine and suppresses the events from users with the SID S-1-5-18
when i change the eventid i get the error
"Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. The data is invalid(13)"
Changed query that gives error:
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*[System[(EventID=5136)]]</Select>
<Suppress Path="ForwardedEvents">*[System[(EventID=5136)]] and *[EventData[Data[@Name='SubjectUserSid'] and (Data='S-1-5-18')]]</Suppress>
</Query>
</QueryList>
anybody any suggestions on what could case this errors?