Here is the situation, when I try to query more than one event, I get no results, yet I know that there are matching events.
invoke-command -cn ( Get-ADComputer -filter * -searchBase "ou=Domain Controllers,dc=Domain,dc=corp" | Select-Object -expand Name ) -scriptblock { Get-WinEvent -FilterHashtable @{Path="C:\windows\system32\winevt\Logs\*Security*";id= 4720,4738,4722;StartTime="6/04/2018";EndTime="6/08/2018"} | Export-CSV c:\Users\admin\Desktop\resultJC.csv}
Is there an issue with the FilterHashtable? I cannot really set a variable with the event ID’s as I am using invoke-command so the variable would not pass to the remote servers.
If I run one ID at a time, it works fine. If I try more than one, I get the error that there are no matching events. Would appreciate any ideas on an efficient way to do this. I have 12 DC’s and I want to query all the archives with one shot, not have to run each Event ID individually.
Thanks