Get-EventLog with multiple exclusions

PowerShell Help
1

I’m trying to exclude certain events, some with specific messages. When I exclude Event IDs, it works as expected. When I exclude Event ID with specific Message, it works as expected. But, If I try to exclude a Event IDs and also a Specific Event ID with a Specific Message, it still returns the Event ID & Message I’m trying to exclude…

This Works as expected…

$GetData = {
[PSCustomObject]@{
EventLog =  $(Get-EventLog -Log "Application" -After (Get-Date).AddDays(-1) -EntryType Error,Warning | `
? { $_.eventID -ne 1300 -and $_.Message -notcontains "*SQLsafe Backup Service version*" } | Select TimeGenerated,Category,EventID,EntryType,Message)}
}

Invoke-Command -ComputerName ServerName -ScriptBlock $GetData -ErrorAction SilentlyContinue

THis works as expected…

$GetData = {
[PSCustomObject]@{
EventLog =  $(Get-EventLog -Log "Application" -After (Get-Date).AddDays(-1) -EntryType Error,Warning | `
? { { $_.eventID -NotMatch '9245|1008' } } | Select TimeGenerated,Category,EventID,EntryType,Message)}
}

Invoke-Command -ComputerName ServerName -ScriptBlock $GetData -ErrorAction SilentlyContinue

But this doesn’t…it still returns the 1300 events with the SqlSafe message.

$GetData = {
[PSCustomObject]@{
EventLog =  $(Get-EventLog -Log "Application" -After (Get-Date).AddDays(-1) -EntryType Error,Warning | `
? { { $_.eventID -NotMatch '9245|1008' } -Or { $_.eventID -Ne 1300 -And $_.Message -notcontains "*SQLsafe Backup Service version*" } } | Select TimeGenerated,Category,EventID,EntryType,Message)}
}

Invoke-Command -ComputerName ServerName -ScriptBlock $GetData -ErrorAction SilentlyContinue

What am I doing wrong ?

*I’m using the PSCustomObject as I’ve a few other commands being run on the servers are the same time.

2

It looks fine to me, I do not have the specific message you have but I ran this and it filtered out what I expected it to

get-eventlog -LogName Application | where {{$_.EventID -ne 1704} -or {$_.EventID -ne 1312 -and $_.message -notcontains "*software protection*"}}
3 
PS C:\Windows\system32> 
$GetData = {
[PSCustomObject]@{
EventLog =  $(Get-EventLog -Log "Application" -After (Get-Date).AddDays(-1) -EntryType Error,Warning | `
? { { $_.eventID -NotMatch '9245|1008' } -Or { $_.eventID -Ne 1300 -And $_.Message -notcontains "*SQLsafe Backup Service version*" } } | Select TimeGenerated,Category,EventID,EntryType,Message)}
}

Invoke-Command -ComputerName $ServerName -ScriptBlock $GetData -ErrorAction SilentlyContinue


EventLog                                                                                                                                                                                                          
--------                                                                                                                                                                                                          
{@{TimeGenerated=6/5/2018 9:45:18 AM; Category=Operational; EventID=1300; EntryType=Error; Message=SQLsafe Backup Service version 8.4.2.2: ...
4

Hmmm this does seem odd, the initial validation I did was false positive I think…more digging and the only way I could get it to work was by doing this

get-eventlog -LogName System | where {$_.EventID -notmatch '36871|6013' -or $_.EventID -eq 7036 -and $_.message -notlike "*running state*"}

Which is going off the assumption that

  1. I want no event’s with the eventid’s of 36871 and 6013, or in your case 9245 and 1008
  2. You want event ID’s of 1300 but not the ones that contain the message of “sql safe…”

Is that right?

5

yes it is.