Get-WinEvent and filtering for the message

by surveyor at 2013-05-10 10:03:06

with this little script (it works) I try to filter scheduled tasks (beginning and end) from the eventlog. Is it possible to filter for messages in the XML-Filter instead of using Where-Object? I have searched a lot, but there are only a few examples and the official documentation is too confusing for me.


$XMLQuery = @"
<Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[(Level=4 or Level=0) and (EventID=100 or EventID=102)]]</Select>

$Abruf = {
# Wegen .NET-Bug auf englische Umgebung umschalten. Ansonsten werden keine Meldungstexte ausgegeben.
$orgCulture = Get-Culture
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"

Get-WinEvent -FilterXml $XMLQuery |
Where-Object { $_.Message -notmatch "\Microsoft\" } # |
# Select-Object -First 5

# Wegen .NET-Bug. Siehe oben.
[System.Threading.Thread]::CurrentThread.CurrentCulture = $orgCulture
$a = Get-Date
$Test = . $Abruf
$b = Get-Date

PS: I’m not very happy with the new forum…