js2010
October 23, 2018, 8:57am
1
This is based on a Scripting Guy blog about finding the latest event logs (Use PowerShell to Query All Event Logs for Recent Events - Scripting Blog ). But how can the time of the log entry creation be 5 days more recent than the modification time of the log??
$starttime = (get-date).Addhours(-4)
Get-WinEvent -ListLog * -EA silentlycontinue -pv log |
foreach { get-winevent -filterhashtable @{logname=$_.logname;starttime=$starttime} -ea 0 } |
Format-Table TimeCreated, ID, ProviderName, @{n='LastWriteTime';e={$log.lastwritetime}} -AutoSize -Wrap
TimeCreated Id ProviderName LastWriteTime
----------- -- ------------ -------------
10/23/2018 9:52:31 AM 916 ESENT 10/18/2018 1:28:15 PM
10/23/2018 9:47:20 AM 916 ESENT 10/18/2018 1:28:15 PM
10/23/2018 9:45:45 AM 916 ESENT 10/18/2018 1:28:15 PM
Another weird thing is you can put a wildcard like ‘a*’ in the logname property of the filterhashtable, but not plain ‘*’.
The calculated property LastWriteTime is having the value from pipeline variable $log.LastWriteTime which is from the output of Get-WinEvent cmdlet.
hence it can be like this and will be same for each LogName
ta11ow
October 23, 2018, 10:15am
3
Indeed… I would presume that the error comes from having the ‘nested’ pipeline there, and you probably need to have the calculated property reference $_.LastWriteTime instead in order to get the correct value.
js2010
October 23, 2018, 10:43am
4
The lognames from both commands seem to match… It’s true that the 2nd get-winevent spins out multiple log entries per logname. There’s no lastwritetime property in the 2nd version of the command. The two time properties just don’t seem related.
$starttime = (get-date).Addhours(-4)
Get-WinEvent -ListLog * -EA silentlycontinue -pv log |
foreach { get-winevent -filterhashtable @{logname=$_.logname;starttime=$starttime} -ea 0 } |
Format-Table TimeCreated, ID, ProviderName, @{n='LastWriteTime';e={$log.lastwritetime}},Logname,
@{n='Logname2';e={$log.logname}} -AutoSize -Wrap
TimeCreated Id ProviderName LastWriteTime LogName Logname2
----------- -- ------------ ------------- ------- --------
10/23/2018 12:07:54 PM 16384 Microsoft-Windows-Security-SPP 10/18/2018 1:28:15 PM Application Application
10/23/2018 12:07:23 PM 1003 Microsoft-Windows-Security-SPP 10/18/2018 1:28:15 PM Application Application
10/23/2018 12:07:22 PM 1003 Microsoft-Windows-Security-SPP 10/18/2018 1:28:15 PM Application Application
10/23/2018 11:57:32 AM 8224 VSS 10/18/2018 1:28:15 PM Application Application
10/23/2018 11:54:31 AM 916 ESENT 10/18/2018 1:28:15 PM Application Application
10/23/2018 11:54:06 AM 1001 Windows Error Reporting 10/18/2018 1:28:15 PM Application Application
10/23/2018 11:45:00 AM 916 ESENT 10/18/2018 1:28:15 PM Application Application
10/23/2018 11:20:21 AM 916 ESENT 10/18/2018 1:28:15 PM Application Application