locked
check Windows Event Logs RRS feed

  • Question

  • Hi , could you help me with script I need to take event log only today, I try to do that :

     get-winevent -logname "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" -After ([datetime]::Today)| where {$_.eventID -eq 1149} | Sort-Object index -Descending | select -first 1 

    but I get error Get-WinEvent : A parameter cannot be found that matches parameter name 'After'.

    please could you  help me , thank you

    Wednesday, September 18, 2019 12:19 PM

Answers

  • Hi Mooner09, you can use below code to get desired output(Select-Object with calculated properties):

    $filter = @{
        Logname   = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
        StartTime = [datetime]::Today
        ID        = 21, 23, 24, 25
    }
    $events = get-winevent -FilterHashtable $filter | Select-Object TimeCreated,
    @{Name = "User" ; Expression = { $_.Properties.value[0] } },
    @{Name = "Session ID" ; Expression = { $_.Properties.value[1] } },
    @{Name = "Source Network Address:"; Expression = { $_.Properties.value[2] } }
    Write-Output  $events | Format-Table -AutoSize

    • Marked as answer by Mooner09 Friday, October 4, 2019 9:26 PM
    Friday, October 4, 2019 9:28 AM
  • Hi Imran_Khan,

    I did like that and it's working,  thank you very much Imran_Khan

    $filter = @{
        Logname   = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
        StartTime = [datetime]::Today
        ID        = 21, 23, 24, 25
    }
    $events = get-winevent -FilterHashtable $filter | Select-Object TimeCreated,
    @{Name = "User" ; Expression = { $_.Properties.value[0] } },
    @{Name = "Session ID" ; Expression = { $_.Properties.value[1] } },
    @{Name = "Source Network Address:"; Expression = { $_.Properties.value[2] } }
    Write-Output  $events | Format-Table -AutoSize



    • Edited by Mooner09 Friday, October 4, 2019 9:26 PM
    • Marked as answer by Mooner09 Friday, October 4, 2019 9:26 PM
    Friday, October 4, 2019 9:25 PM

All replies

  • When are you newbies going to learn to always read the help before asking a question. Almost everything you typed was wrong and the help would have shown you that.

    $filter = @{
    	Logname = 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
    	ID = 1149 
    }
    get-winevent -FilterHashtable $filter -MaxEvents 1
    This will always return the newest event that matches the filter.


    \_(ツ)_/


    • Edited by jrv Wednesday, September 18, 2019 12:41 PM
    Wednesday, September 18, 2019 12:40 PM
  • Hi,

    the error says that there is an issue with the parameter "-After". I just checked and couldn't fine such parameter for the "Get-WinEvent" cmdlet:

    Get-WinEvent

    This parameter is avalable with "Get-EventLog":

    Get-EventLog

    Please try using "Get-EventLog" and see how it goes. The following works (tested):

    Get-EventLog -Logname "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" -After ([datetime]::Today) | where {$_.eventID -eq 1149} | Sort-Object index -Descending | select -first 1 


    Hope I could help. 

    Regards, 


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov



    Wednesday, September 18, 2019 12:40 PM
  • Hi,

    the error says that there is an issue with the parameter "-After". I just checked and couldn't fine such parameter for the "Get-WinEvent" cmdlet:

    Get-WinEvent

    This parameter is avalable with "Get-EventLog":

    Get-EventLog

    Please try using "Get-EventLog" and see how it goes. 

    Regards, 


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Get-Eventlog cannot correctly query the new eventlog format and structure.  That is the reason for the new command.  The old command should not be used on any current version of Windows. It has been left in the system for pre-vista systems and compatibility with old scrips. 


    \_(ツ)_/

    Wednesday, September 18, 2019 12:45 PM
  • Proof that Get-Eventlog doesn't work:

    PS C:\scripts> Get-Eventlog 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
    Get-Eventlog : The event log 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' on computer '.' does not exist.
    At line:1 char:1
    + Get-Eventlog 'Microsoft-Windows-TerminalServices-RemoteConnectionMana ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-EventLog], InvalidOperationException
        + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetEventLogCommand
    


    \_(ツ)_/

    Wednesday, September 18, 2019 12:47 PM
  • doesn't work I get the next error Get-EventLog : The event log 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' on computer '.' does not exist.

    but if I use this script: 

    get-winevent -FilterHashTable @{ logname = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; ID = 1149} | Format-List -Property TimeCreated,Message

    I get event log  but all off them but I need only for one day

    thank you

    Wednesday, September 18, 2019 12:50 PM
  • Hi,

    the error says that there is an issue with the parameter "-After". I just checked and couldn't fine such parameter for the "Get-WinEvent" cmdlet:

    Get-WinEvent

    This parameter is avalable with "Get-EventLog":

    Get-EventLog

    Please try using "Get-EventLog" and see how it goes. 

    Regards, 


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Get-Eventlog cannot correctly query the new eventlog format and structure.  That is the reason for the new command.  The old command should not be used on any current version of Windows. It has been left in the system for pre-vista systems and compatibility with old scrips. 


    \_(ツ)_/

    Hi,

    thanks for clarifying this. Oddly enough it worked perfectly fine while testig it. I could notice indeed, that is listed under PowerShell 5.1. 

    Thanks and Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Wednesday, September 18, 2019 12:50 PM
  • doesn't work I get the next error Get-EventLog : The event log 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' on computer '.' does not exist.

    but if I use this script: 

    get-winevent -FilterHashTable @{ logname = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; ID = 1149} | Format-List -Property TimeCreated,Message

    I get event log  but all off them but I need only for one day

    thank you

    Why is it that you guys can't read.  The help for the CmdLet will solve all of your problems.  Don't be lazy. Learn how to read.

    $filter = @{
    	Logname = 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
    	StartTime = [datetime]::Today
    	ID = 1149 
    }
    get-winevent -FilterHashtable $filter


    \_(ツ)_/


    • Edited by jrv Wednesday, September 18, 2019 12:53 PM
    Wednesday, September 18, 2019 12:52 PM
  • Proof that Get-Eventlog doesn't work:

    PS C:\scripts> Get-Eventlog 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
    Get-Eventlog : The event log 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' on computer '.' does not exist.
    At line:1 char:1
    + Get-Eventlog 'Microsoft-Windows-TerminalServices-RemoteConnectionMana ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-EventLog], InvalidOperationException
        + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetEventLogCommand


    \_(ツ)_/

    Hmm,

    why does it work on my Win10 Client? Any ideas?

    Because of the version?


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov


    Wednesday, September 18, 2019 12:53 PM
  • Proof that Get-Eventlog doesn't work:

    PS C:\scripts> Get-Eventlog 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
    Get-Eventlog : The event log 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' on computer '.' does not exist.
    At line:1 char:1
    + Get-Eventlog 'Microsoft-Windows-TerminalServices-RemoteConnectionMana ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-EventLog], InvalidOperationException
        + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetEventLogCommand


    \_(ツ)_/

    Hmm,

    why does it work on my Win10 Client? Any ideas?


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    That is not the log that was asked for.  You need to learn how the event logging system works.  The system log does not have the information asked for so your result is bogus.

    Stop wasting time with bad guesses and learn how the system works.  It will save you a lot of wasted time.


    \_(ツ)_/

    Wednesday, September 18, 2019 12:56 PM
  • yes it's working 

    but how I can see TimeCreated  and Message (IP and username)

    thank you

    Wednesday, September 18, 2019 1:07 PM
  • Hi jrv,

    "That is not the log that was asked for." That is true for sure.

     "You need to learn how the event logging system works." Thanks for the kind advice. I need to learn a LOT of things in my life,and that is why I asked you about the particular reason, the guy who can help me get to answer?

     "The system log does not have the information asked for so your result is bogus." Thanks for clarifying this.

    "Stop wasting time with bad guesses and learn how the system works.  It will save you a lot of wasted time." No guesses here, it was just a simple question to person, who seems to know more then me on this one. 


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Wednesday, September 18, 2019 1:07 PM
  • help select-object -online

    \_(ツ)_/

    Wednesday, September 18, 2019 1:08 PM
  • Hi jrv,

    "That is not the log that was asked for." That is true for sure.

     "You need to learn how the event logging system works." Thanks for the kind advice. I need to learn a LOT of things in my life,and that is why I asked you about the particular reason, the guy who can help me get to answer?

     "The system log does not have the information asked for so your result is bogus." Thanks for clarifying this.

    "Stop wasting time with bad guesses and learn how the system works.  It will save you a lot of wasted time." No guesses here, it was just a simple question to person, who seems to know more then me on this one. 


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    I am just trying to tell you that the help system was built to answer the questions you are asking.  If you want to be a tech then you must learn this and you must learn the event logging system.   I didn't invent that.  It is fundamental to all who want to be computer techs.  It is not an option.

    All techs must spend time learning the system and keeping up with changes. You cannot do that by asking random questions.  Computer systems are based on engineering and you must learn the engineering to be a tech.  Admins and desktop support ca get away with knowing nothing as long as they can use the GUI tools and have a higher level of support to call when stuck.  User admins and desktop support are not techs and do not need to know how to use command line tools.  To use command line tools you need to understand the engineering that goes nto a computer system and you need to know how to use the documentation.


    \_(ツ)_/

    Wednesday, September 18, 2019 1:15 PM
  • how I can get this information , please help me 

    

    Wednesday, September 18, 2019 1:26 PM
  • help format-list -online


    \_(ツ)_/

    Wednesday, September 18, 2019 1:38 PM
  • thank you

    $filter = @{
    Logname = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
    StartTime = [datetime]::Today
    ID = 21, 23, 24, 25
    }
    get-winevent -FilterHashtable $filter | Select TimeCreated, User, Address

    I did not see any information about users and IP address , could you help me what's wrong 


    Wednesday, September 18, 2019 2:18 PM
  • Th0ose are part of the properties of the event stored in the "Properties" collection. They are not available directly.

    I recommend searching for articles on how to use the new event log results and how to get those properties.  There are a couple of ways.  I don't habve the time to teach you how to do this.  You will have to research it on your own.


    \_(ツ)_/

    Wednesday, September 18, 2019 2:22 PM
  • Maybe because "Source" isn't a property?

    https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/

    Try exporting your events to XML and examining the resulting file to see what you're actually working with.

    Alternatively, use Get-Member to examine the objects returned from your query.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)


    Wednesday, September 18, 2019 2:33 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Thursday, October 3, 2019 3:01 AM
  • $filter = @{
    Logname = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
    StartTime = [datetime]::Today
    ID = 21, 23, 24, 25
    }
    get-winevent -FilterHashtable $filter | Select TimeCreated, Message | fl

    Thursday, October 3, 2019 12:04 PM
  • Hi Mooner09, you can use below code to get desired output(Select-Object with calculated properties):

    $filter = @{
        Logname   = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
        StartTime = [datetime]::Today
        ID        = 21, 23, 24, 25
    }
    $events = get-winevent -FilterHashtable $filter | Select-Object TimeCreated,
    @{Name = "User" ; Expression = { $_.Properties.value[0] } },
    @{Name = "Session ID" ; Expression = { $_.Properties.value[1] } },
    @{Name = "Source Network Address:"; Expression = { $_.Properties.value[2] } }
    Write-Output  $events | Format-Table -AutoSize

    • Marked as answer by Mooner09 Friday, October 4, 2019 9:26 PM
    Friday, October 4, 2019 9:28 AM
  • Hi Imran_Khan,

    I did like that and it's working,  thank you very much Imran_Khan

    $filter = @{
        Logname   = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
        StartTime = [datetime]::Today
        ID        = 21, 23, 24, 25
    }
    $events = get-winevent -FilterHashtable $filter | Select-Object TimeCreated,
    @{Name = "User" ; Expression = { $_.Properties.value[0] } },
    @{Name = "Session ID" ; Expression = { $_.Properties.value[1] } },
    @{Name = "Source Network Address:"; Expression = { $_.Properties.value[2] } }
    Write-Output  $events | Format-Table -AutoSize



    • Edited by Mooner09 Friday, October 4, 2019 9:26 PM
    • Marked as answer by Mooner09 Friday, October 4, 2019 9:26 PM
    Friday, October 4, 2019 9:25 PM