locked
Sysmon EventID 10 - problem RRS feed

  • Question

  • Hello

    I have a problem with parsing EventLogs. I wrote a script which you can see below. The problem is fact that the first function Get-CallTrace returns lines with values but the second function doesn't (returns empty lines). Of course if I change the order of functions situation is the same. Can you help me and point what is wrong ?

    Function Get-SourceImage
        {
        Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';id=10} | Select-Object -Property @{n='SourceImage';e={$_.properties[5].value}}
        }
    
    Function Get-CallTrace
        {
        Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';id=10} | Select-Object -Property @{n='CallTrace';e={$_.properties[10].value}}
        }
    
    
    Get-CallTrace
    Get-SourceImage

    Saturday, July 11, 2020 1:45 PM

All replies

  • Try piping the results of each function call to Format-Table.

    You're sending objects with different property names in them to the default output stream and only one of them (the first one) gets to define the properties that are displayed by the default formatting.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    • Proposed as answer by Ian Xue Monday, July 13, 2020 2:01 AM
    Saturday, July 11, 2020 2:56 PM
  • It works !Thanks a lot :)

    Saturday, July 11, 2020 9:06 PM
  • Hi rataj0, if above reply is helpful, kindly mark it as answer

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 13, 2020 2:01 AM