locked
Collecting events for specific time periods RRS feed

  • Question

  •  I'm using get-winevent with an xml filter to retrieve specific event id's with an exclusion on a specific username.  The following filter string works for getting the events from the past hour.  I would rather gather events from 2:00:00 pm to 2:59:59 pm because the current way I'm doing it has the possibility of leaving small gaps in the collection.  The problem is, that I cannot find any examples where an xml filter is used to specify exact times.  Is this even possible with the xml filter?  It seems possible with the hash filter, but then I'm not sure I can do the exclusion I want.  In addition, what time format is used?  Is it universal time?

    $filterxml="<QueryList>

                  <Query Id='0' Path='Security'><Select Path='Security'>

      *[System[( (EventID &gt;= 4720 and EventID &lt;= 4765)

      or

                  (EventID = 5139)

    or

    (EventID = 4767)

    or

    (EventID = 5138)

    or

    (EventID = 5141))

                  and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>

    <Suppress Path='Security'>

    *[EventData[Data[@Name='SubjectUserName']='svc-pwdmgradmin']]

    </Suppress>

                  </Query>

                  </QueryList>"

    Rob


    Rob

    Tuesday, November 1, 2016 2:41 PM

All replies

  • Please do not post colorized code.  Use the code posting tool on the edit toolbar to paste the code as a code block.


    \_(ツ)_/

    Tuesday, November 1, 2016 2:48 PM
  • You will have to get the time and convert it to a system time number.

    $2PM = [datetime]'14:00:00'
    $start = $2PM.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffffff00K')
    $end = $2PM.AddHours(1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffffff00K')
    
    TimeCreated &ge; '$start' and TimeCreated &lt; '$end'


    \_(ツ)_/


    • Edited by jrv Tuesday, November 1, 2016 3:06 PM
    Tuesday, November 1, 2016 3:06 PM
  •  Very close and got me in the right direction.  Thankyou

    TimeCreated &gt;= '$start' and TimeCreated &lt;= '$end'


    Rob

    Wednesday, November 2, 2016 5:30 PM
  •  I am no longer getting an XML error using get-winevent, but my query is not returning any data.

     Ideas?

    $dt = get-date 
    $t = $dt.addminutes(-($dt.minute % 60) -60).AddSeconds(-($dt.Second % 60))
    
    $start = $t.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffffff00K')
    $end = $t.AddHours(1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffffff00K')
    
    
    $filterxml = "<QueryList>
                  <Query Id='0' Path='Security'>
                  <Select Path='Security'>
    			  *[System[(TimeCreated &gt;= '$start' and TimeCreated &lt;= '$end'
                  and
                  ((EventID &gt;= 4720 and EventID &lt;= 4765)
    			  or
                  (EventID = 5139)
    			  or
                  (EventID = 4767)
    			  or 
    		      (EventID = 5138)
    			  or
    		      (EventID = 5141)))]]</Select>
    		      <Suppress Path='Security'>
    		      *[EventData[Data[@Name='SubjectUserName']='svc-pwdmgradmin']]
    		      </Suppress>
                  </Query>
                  </QueryList>"
                  
    $data = Get-WinEvent -ComputerName "dc3" -FilterXml $filterxml # -ea 'SilentlyContinue'


    Rob

    Wednesday, November 2, 2016 8:32 PM
  • Can you confirm that logs have been generated within your threshold? Also remove the # after $filterxml on your last line.
    Wednesday, November 2, 2016 8:53 PM
  •  Yes, the logs have been generated.  The # is there just so I can see the error that no data was returned.  Normally the # is not there, it's not a concern.

     I will repost my original query string in a script block.  This one works, but is not as reliable because it's not using a precise time range.

     I have changed parentheses around, no luck so far. 

    $filterxml = "<QueryList>
                  <Query Id='0' Path='Security'><Select Path='Security'>
    			  *[System[( (EventID &gt;= 4720 and EventID &lt;= 4765)
    			  or
                  (EventID = 5139)
    			or
    		(EventID = 4767)
    			or 
    		(EventID = 5138)
    			or
    		(EventID = 5141))
                  and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
    		<Suppress Path='Security'>
    		*[EventData[Data[@Name='SubjectUserName']='svc-pwdmgradmin']]
    		</Suppress>
                  </Query>
                  </QueryList>"

    Rob


    • Edited by Robert_g1 Wednesday, November 2, 2016 9:17 PM
    Wednesday, November 2, 2016 9:12 PM
  •   I spent some time on this trying different time formats. Roundtrip, etc and still no success.  I could kludge this and get more events than I need, then filter my returned collection to the correct time period, but I don't like doing that. 

    Rob


    Rob

    Monday, November 7, 2016 3:29 PM