Eventlog Madness

lamatee 21 Reputation points
2020-09-22T12:13:21.287+00:00

Hello everbody,
im struggeling with custom views and filters for my eventlog. We have a central log server that stores eventlogs for our servers. The log-server is running windows server 2016 and the events from the subsciptions all get saved in the ForwardedEvents log. Some querys work in the GUI but not with powershell and if i try to filter for stuff in the "EventData" portion i get an error with invalid data.

Some examples:

I have a custom view in the eventviewer GUI that works fine there.

    <QueryList>
      <Query Id="0" Path="ForwardedEvents">
        <Select Path="ForwardedEvents">*[System[(EventID=4688)]] and *[EventData[Data[@Name='SubjectUserName'] and (Data='testuser')]]</Select>
      </Query>
    </QueryList>

but if i try to get the information with a powershell command it doesnt work

$Filter = @'
<QueryList>
  <Query Id="0" Path="ForwardedEvents">
    <Select Path="ForwardedEvents">*[System[(EventID=4688)]] and *[EventData[Data[@Name='SubjectUserName'] and (Data='testuser')]]</Select>
  </Query>
</QueryList>
'@
Get-WinEvent -FilterXml $Filter

i get about 50 messages that read

Get-WinEvent : The data is invalid
At C:\Users\testuser\Desktop\eventlog query.ps1:8 char:1
+ Get-WinEvent -FilterXml $Filter
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogInvalidDataException
    + FullyQualifiedErrorId : The data is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand

another example in the GUI:

<QueryList>
  <Query Id="0" Path="ForwardedEvents">
    <Select Path="ForwardedEvents">*[System[(EventID=4688)]]</Select>
    <Suppress Path="ForwardedEvents">*[System[(EventID=4688)]]  and *[EventData[Data[@Name='SubjectUserSid'] and (Data='S-1-5-18')]]</Suppress>
  </Query>
</QueryList>

this query works fine and suppresses the events from users with the SID S-1-5-18

when i change the eventid i get the error
"Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. The data is invalid(13)"
Changed query that gives error:

<QueryList>
  <Query Id="0" Path="ForwardedEvents">
    <Select Path="ForwardedEvents">*[System[(EventID=5136)]]</Select>
    <Suppress Path="ForwardedEvents">*[System[(EventID=5136)]] and *[EventData[Data[@Name='SubjectUserSid'] and (Data='S-1-5-18')]]</Suppress>
  </Query>
</QueryList>

anybody any suggestions on what could case this errors?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,505 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,834 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,520 questions
0 comments No comments
{count} votes

Accepted answer
  1. MotoX80 33,481 Reputation points
    2020-09-22T15:03:09.913+00:00

    How about using a filterhashtable?

    # https://learn.microsoft.com/en-us/powershell/scripting/samples/Creating-Get-WinEvent-queries-with-FilterHashtable?view=powershell-7  
      
    $Filter = @{  
     Logname="System"  
     Id='43'  
     }  
      
     Get-WinEvent -FilterHashTable $Filter | where-object -Property Message -match 'framework'  
      
      
      
    $Filter = @{  
     Logname="ForwardedEvents"  
     Id='5136'  
     }  
      
     Get-WinEvent -FilterHashTable $Filter | where-object -Property Message -match 'testuser'  
      
      
    
    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. MotoX80 33,481 Reputation points
    2020-09-25T12:00:15.93+00:00

    I hacked together a "recent events" script to get the entries from all event logs for a give timeframe. Maybe it will help you with your problems.

    # Name: RecentEvents.ps1
    # Desc: Script to read all event logs and put all events within a timeframe into TOD sequence.
    #       The intent is to see all events that occurred at a certain time when an error may have occurred.  
    #       Life was simpler when we only had 3 eventlogs. 
    # Usage: RecentEvents.ps1 NumberOfHours    Ie:  RecentEvents.ps1 24
    # Author: Dave (MotoX80)
    param($tf = 1 )          # Time frame in hours. 
    $hdr = $tf
    $tf = $tf * 3600000
    $elna = (Get-WinEvent -ListLog * -EA silentlycontinue | where-object { $_.recordcount -gt 1})     # get all event log names that have records in them. 
    $AllEvents = @()              # prepare array so we can append to it
    foreach ($el in $elna)        # look at each event log
    {
        ""
        #$el.logname
        $xml = "<QueryList><Query Id=""0"" Path=""$($el.logname)"">
                <Select Path=""$($el.logname)"">*[System[TimeCreated[timediff(@SystemTime) &lt;= $tf ]]]</Select>
                </Query></QueryList>"       
        $AllEvents += Get-WinEvent -FilterXml $XML -ErrorAction SilentlyContinue  # append the events (if any)
    }
    $AllEvents | sort-object -Descending -Property TimeCreated  | 
    Select-Object -property TimeCreated, ID, Logname,  LevelDisplayName, Message |
    Out-GridView -Title "Recent Events ($hdr hours)" 
    
    1 person found this answer helpful.
    0 comments No comments

  2. js2010 191 Reputation points
    2020-09-24T01:40:02.46+00:00

    I know you can't query more than 256 logs at a time (ps 7).

    get-winevent -LogName *
    
    Get-WinEvent: Log count (459) is exceeded Windows Event Log API limit (256). Adjust filter to return less log names.
    

    Still wondering how to get notifications for replies in this forum.


  3. Franky 106 Reputation points
    2022-10-05T07:24:39.667+00:00

    MotoX

    a realy cool and fast Script. I think its better I usethis

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.