Windows 7 x64 PSVersion 5.1.1.14409.1018 - below runs with no issues
$cmp = 'localhost'
$time = (Get-Date) - (new-timeSpan -day 2)
$events = Get-WinEvent -cn $cmp -FilterHashtable @{ logname = '*'; level = 1, 2, 3, 4; starttime = $time }
Windows 10 x 64 PSVersion 5.1.16299.1146 - the above won’t run, I am missing something here -
Get-WinEvent : The data is invalid
At line:7 char:11
+ $events = Get-WinEvent -cn $cmp -FilterHashtable @{ logname = '*'; le ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogInvalidDataException
+ FullyQualifiedErrorId : The data is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand
It appears the filtering can no longer deal with the logname=‘*’
Appreciate any pointers
Yup, it doesn’t accept * in Win 7
I have knocked this together - it seems to be doing the trick - I’ll refine and push on - cheers
$cmp=‘localhost’
$time = (Get-Date) - (new-timeSpan -hour 1)
$Events=Get-WinEvent -filterhashtable @{Logname = ($LogName=(Get-WinEvent -ListLog * -ComputerName $cmp| where {$_.recordcount -gt 0} | Select-Object -ExpandProperty LogName)); starttime = $time}
$Events | select-object -property TimeCreated, Providername, LogName, ID, Message | Sort-Object -Property TimeCreated -Descending | Export-Csv “c:\temp$cmp.csv”
Just posting what I am now using on W10-1709 - seems to work well and plenty of scope to refine the details returned
$time = (Get-Date) - (new-timeSpan -hour 5)
$EventLogNames = (Get-WinEvent -ListLog * -ComputerName $cmp | where { $_.recordcount -gt 0 } | select-object -ExpandProperty LogName)
Get-WinEvent -FilterHashtable @{ LogName = $EventLogNames; starttime = $time } -ComputerName $cmp |
select-object -property TimeCreated, Providername, LogName, ID, @{ n = “Error Level”; e = { switch ($.level) { “1”{ “Critical” } “2”{ “Error” } “3”{ “Warning” } “4”{ “Information” } } } }, @{ n = “Message”; e = { ($.message).trim() } } |
Sort-Object -Property TimeCreated -Descending