Hello,
On Comp1 i have ForwardedEvents grabbed from remote Comp2.
Get-WinEvent -computername Comp2 -FilterHashtable @{logname='Security';id=4776} Get-WinEvent -FilterHashtable @{logname='ForwardedEvents';id=4776}
So, these two lines of code return the same event record (one from remote machine Comp2 and one from ForwardedEvents logname on local machine Comp1).
But if I need to get all the “Audit Failure” events from remote host, I use:
Get-WinEvent -ComputerName Comp2 -FilterHashtable @{LogName='Security';Keywords=4503599627370496}
If i use the same way but for local ForwardedEvents logname, i get error:
PS C:\> Get-WinEvent -FilterHashtable @{LogName='ForwardedEvents';Keywords=4503599627370496} Get-WinEvent : No events were found that match the specified selection criteria. At line:1 char:1 + Get-WinEvent -FilterHashtable @{LogName='ForwardedEvents';Keywords=4503599627370 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
My question is: If there is a way to filter logname ForwardedEvents with FilterHashTable with Keywords parameter to get “Audit Failure” events?
P.S. Yes, I’m still able to use “Invoke-command -computername” and “get-winevent -computername”, but these both types take longer to get result back, and in my experience using FilterHashTable returns result faster.
Thanks,