Winevent combining 2 searches

I’m trying to combine 2 log searches and produce one output. I have two scripts that work the first finds all levels for a specified time frame and produces a .csv file.

$StartDate = Get-Date (Read-Host -Prompt 'Enter the start date of the logs. EX: 1/1/2022')
$EndDate = Get-Date (Read-Host -Prompt 'Enter the Last day of the deployment, EX: 6/26/2022')
Get-WinEvent -FilterHashTable @{
path = '*.evtx'
Level =1,2,3} |
Where-Object {$_.timecreated -gt $StartDate -and $_.timecreated -lt $EndDate} |
Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message |
Export-CSV -Path logs.csv -NoTypeInformation

This script finds specific event IDs and produces a csv file.

$StartDate = Get-Date (Read-Host -Prompt 'Enter the start date of the logs. EX: 1/1/2022')
$EndDate = Get-Date (Read-Host -Prompt 'Enter the Last day of the deployment, EX: 6/26/2022')
Get-WinEvent -FilterHashTable @{
path = '*.evtx'
ID=4720, 4723, 4724, 4722, 4725, 4726, 4738, 4740, 2003, 2004, 2006} |
Where-Object {$_.timecreated -gt $StartDate -and $_.timecreated -lt $EndDate} |
Select-Object TimeCreated, ID, logName, ProviderName, LevelDisplayName, Message |
Export-CSV -Path logsID.csv -NoTypeInformation

I can’t figure out how to combine the two and produce one output. Any help would be appreciated.

Dan

Dan,
Welcome to the forum. :wave:t4:

since we cannot see or use your environment - could you please share some (sanitized) sample output your queries produce? (formatted as code as well please)

And just as a hint - you can specify the start time and end time already in your filter hash table. :wink:

I modified the code to combine by adding another get-winevent statement:

$StartDate = Get-Date (Read-Host -Prompt 'Enter the start date of the logs. EX: 1/1/2022')
$EndDate = Get-Date (Read-Host -Prompt 'Enter the Last day of the deployment, EX: 6/26/2022')
Get-WinEvent -FilterHashTable @{
path = '*.evtx'
Level =1,2,3} |
Where-Object {$_.timecreated -gt $StartDate -and $_.timecreated -lt $EndDate} |
Select-Object TimeCreated, ID, LogName, ProviderName, LevelDisplayName, Message |
Export-CSV -Path logs.csv -NoTypeInformation
Get-WinEvent -FilterHashTable @{
path = '*.evtx'
ID=4720, 4723, 4724, 4722, 4725, 4726, 4738, 4740, 2003, 2004, 2006} |
Where-Object {$_.timecreated -gt $StartDate -and $_.timecreated -lt $EndDate} |
Select-Object TimeCreated, ID, LogName, ProviderName, LevelDisplayName, Message |
Export-CSV -Path logsIDs.csv -NoTypeInformation

It works but I still have two outputs, Log level sample:

TimeCreated	Id	LogName	ProviderName	LevelDisplayName	Message
8/10/2022 10:15	1	Application	nview	Error	failed to update data. try again...
8/10/2022 10:15	1	Application	nview	Error	Failed to update display data in shared memory. Continue with stale data.
8/10/2022 10:14	1	Application	nview	Error	failed to update data. try again...
8/10/2022 10:14	1	Application	nview	Error	Failed to update display data in shared memory. Continue with stale data.
8/10/2022 10:13	1	Application	nview	Error	failed to update data. try again...
8/10/2022 10:13	1	Application	nview	Error	Failed to update display data in shared memory. Continue with stale data.
8/10/2022 10:12	1	Application	nview	Error	failed to update data. try again...
8/10/2022 10:12	1	Application	nview	Error	Failed to update display data in shared memory. Continue with stale data.

This is the event ID sample:

TimeCreated	Id	LogName	ProviderName	LevelDisplayName	Message
1/24/2022 10:24	4724	Security	Microsoft-Windows-Security-Auditing	Information	"An attempt was made to reset an account's password.

Subject:
	Security ID:		S-1-5-21-2160743961-3474337173-3583510228-1009
	Account Name:		ADMINNAME
	Account Domain:		SYSTEM NAME
	Logon ID:		0xE283E

Target Account:
	Security ID:		S-1-5-21-2160743961-3474337173-3583510228-1013
	Account Name:		USERNAME
	Account Domain:		SYSTEM NAME"

I’m asking for the start and end time because the systems go out and I’m only interested in the logs generated during the time away, not so much for before and after. If there is a way to automagically capture those logs I’m intrested.

Dan

Actually I expected some CSV data. :smirk:

This is not helpful at all. :man_shrugging:t4:

Anyway - I don’t know why you’re overcomplicating this that much. You don’t need two separate queries.

$StartTime = (Get-Date).Date.AddMonths(-1)
$EndTime   = (Get-Date).Date

Get-WinEvent -FilterHashTable @{
    Path      = '*.evtx'
    Level     = 1, 2, 3
    ID        = 4720,4723, 4724, 4722, 4725, 4726, 4738, 4740, 2003, 2004, 2006
    StartTime = $StartTime
    EndTime   = $EndTime
} |
Select-Object -Property TimeCreated, ID, LogName, ProviderName, LevelDisplayName, Message |
Export-CSV -Path '.\logsIDs.csv' -NoTypeInformation
1 Like

Probably because that is the way I am, I over build pretty much everything. The way I was looking at the script, the first statement, Level = 1, 2, 3, would filter the logs to only provide those levels and the second statement would filter those results to show the event IDs. In all of the documentation I looked at, none showed using statements like that. I will give it a go, thank you for the prompt responses.

Dan

Hmmm, so you like to be standing in your own way?! :wink: Well … keep trying to work with the KISS principle. :+1:t4: :love_you_gesture:t4: