Get-Winevent Filterhashtable Formatting error

0
votes

When I try to run this script:

$Filename = ""U:\logfile_analysis\raw_data\SavedSecurity.evtx""
$EventIDsLogon.ToString() = "4624"
$EventIDsLogoff.ToString() = "4647"
$EventIDsLogonFailure.ToString() = "4625"
$EventIDsLockScreen.ToString() = "4800"
$EventIDsUnlockScreen.ToString() = "4801"
$EventIDstemp = $EventIDsLogon, $EventIDsLogoff, $EventIDsLogonFailure, $EventIDsLockScreen, $EventIDsUnlockScreen -join ","
$EventIDsSummary = $EventIDstemp.Trim()
#Write-Host $EventIDsSummary
Write-Host "Get-WinEvent -FilterHashtable @{Path='$Filename'; ID=$EventIDsSummary}"
pause
Get-WinEvent -FilterHashtable @{Path='$Filename'; ID=$EventIDsSummary}

and look at the output from 

Write-host "Get-WinEvent -FilterHashtable @{Path='$Filename'; ID=$EventIDsSummary}"

the ouput is:

Get-WinEvent -FilterHashtable @{Path='U:\logfile_analysis\raw_data\SavedSecurity.evtx'; ID=4624,4647,4625,4800,4801}

When I copy the output from Write-Host to a PowerShell console it works:

PS> Get-WinEvent -FilterHashtable @{Path='U:\logfile_analysis\raw_data\SavedSecurity.evtx'; ID=4624,4647,4625,4800,4801}


    ProviderName: Microsoft-Windows-Security-Auditing

    TimeCreated                     Id LevelDisplayName Message
    -----------                     -- ---------------- -------
    04.12.2017 13:56:56           4624 Informationen    Ein Konto wurde erfolgreich angemeldet...
    04.12.2017 13:56:56           4647 Informationen    Benutzerinitiierte Abmeldung:...
    04.12.2017 13:56:48           4801 Informationen    Die Arbeitsstation wurde entsperrt...
    04.12.2017 13:56:48           4624 Informationen    Ein Konto wurde erfolgreich angemeldet...
    04.12.2017 13:56:48           4624 Informationen    Ein Konto wurde erfolgreich angemeldet...
******** truncated ****

But: 

Get-WinEvent -FilterHashtable @{Path='$Filename'; ID=$EventIDsSummary}

did not work.

Error Message is:

Get-WinEvent : Cannot find path 'U:\logfile_analysis\$Filename' because it does not exist.

I tried to add "" at @{Path="$Filename".... I tried to add '' at @Path="$Filename".... I tried to manipulate the $Filename variable and add"", the variable$Filename` looks like

$Filename = '"U:\logfile_analysis\raw_data\SavedSecurity.evtx"'
$Filename = ""U:\logfile_analysis\raw_data\SavedSecurity.evtx""
$Filename = "'U:\logfile_analysis\raw_data\SavedSecurity.evtx'"

No success.

A deeper look shows the problem, @Path='$Filename' The path must be within two "", how can I add them that the script works?

1
powershell
as easy as $Filename="U:\logfile_analysis\raw_data\SavedSecurity.evtx" ; Get-WinEvent -FilterHashtable @{Path=$Filename; ID=$EventIDsSummary} - Loïc MICHEL
In addition to what Michel said, you need to make the value of the key ID an actual array, not a comma-delimited string: $EventIDsSummary = 4624, 4647, 4625, 4800, 4801. Also, $var.ToString() = "..." can't possibly work and should have given you a "cannot call a method on a null-valued expression" error. - Ansgar Wiechers
thanks for the hints. i cannot get it running when creating an array EventIDstemp=@($EventIDsLogon, $EventIDsLogoff, $EventIDsLogonFailure, $EventIDsLockScreen, $EventIDsUnlockScreen -join ",") and run Get-WinEvent -FilterHashtable @{Path=$Filename; ID=$EventsIDstemp}. no idea, why. echo $EventIDstemp gives 4624,4647,4625,4800,4801, Errormessage is Get-WinEvent : A null value was encountered in the ID hash table key. Null values are not permitted. - Peter Core

1 Answers

0
votes

thanks for your hints @/lo%c3%afc-michel and @ansgar-wiechers. I think i solved it with the following Code:

$Filename="c:\temp"
$EventIDsLogon="4624"
$EventIDsLogoff="4647"
$EventIDsLogonFailure="4625"
$EventIDsLockScreen="4800"
$EventIDsUnlockScreen="4801"
$EventIDstemp=@($EventIDsLogon,$EventIDsLogoff,$EventIDsLogonFailure,$EventIDsLockScreen, $EventIDsUnlockScreen) 
echo $Filename
echo $EventIDstemp
Get-WinEvent -FilterHashtable @{Path=$Filename; ID=$EventIDstemp}