none
Subscription based Audit of Domain Servers "invalid Data (13)" in some Custom Views RRS feed

  • Question

  • Hello everyone,

    i hope i picked the right Forum for my issue.

    Im running a Win Server 2016 thats acting as our central log server. WinRM and Subscriptions are configured and i get the events forwarded into my ForwardedEvents log. Now on some of my custom Views (only on some and only if i filter for Eventdata)

    So when i use powershell to query the eventlog everything works as expected.

    Get-WinEvent -LogName ForwardedEvents -FilterXPath "*[System[(EventID=5136)]]" -MaxEvents 1 | Format-List -Property *

    The command shows me all the 5136 logs in the Forwarded Events log.

    When i change the query to this:

    Get-WinEvent -LogName ForwardedEvents -FilterXPath "*[System[(EventID=5136)]] and *[EventData[Data[@Name='ObjectClass'] and (Data='user')]]" -MaxEvents 1 | Format-List -Property *

    i get like 200 error messages that read

    Get-WinEvent : The data is invalid
    At line:1 char:1
    + Get-WinEvent -LogName ForwardedEvents -FilterXPath "*[System[(EventID ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogInvalidDataException
        + FullyQualifiedErrorId : The data is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand

    and the very last error reads:

    Get-WinEvent : No events were found that match the specified selection criteria.
    At line:1 char:1
    + Get-WinEvent -LogName ForwardedEvents -FilterXPath "*[System[(EventID ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
        + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

    but there are events with the objectclass "user" in the log. i can view them perfectly fine in the eventviewer gui (But also not able to filter for them in the GUI).

    To make things even more strange when i change the Data='user' part to Data='dnsNode' the filter works perfectly fine.

    Hope anybody has some suggestions what could cause this.

    Thursday, September 17, 2020 1:04 PM

All replies

  • UNfortunately this is not the right forum.. This is for Sysinternals tool only.

    Microsoft is moving the forum to the site Microsfot Q&A:
    windows-server-2016 - Microsoft Q&A

    ANyway, did you try this way??:

    *[System[(EventID=5136)]] and *[EventData[Data[@Name='ObjectClass']='user']]"

    HTH

    -mario

    Thursday, September 17, 2020 1:47 PM
  • Hello mario,

    thx for the quick answer. I will ask the guys at the Q&A Forum too thx for pointing this out.

    Sadly the query gives me the same error as i got before.

    Friday, September 18, 2020 6:56 AM