Using PowerShell to Filter Event Logs

We're using teh Get-WinEvent powershell commandlet and filtering using filterxpath which we can get more info on from here: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent

Filter by Event ID:

*/System/EventID=<ID>

Filter by XML Attribute/Name:

*/EventData/Data[@Name="<XML Attribute/Name>"]

Filter by Event Data:

*/EventData/Data=<Data>

Opening an external Event log file

Get-WinEvent -path [path to event log file]

Opening a local event log area

Get-WinEvent -LogName Microsoft-Windows-PrintService/Admin

If you want to filter events but you're not sure how to - visit the event log GUI, click an event and then look at the detail XML portion to build out the query.

Filtering by EventID

Get-WinEvent -Path [path to event log file] Application -FilterXPath '*/System/EventID=100'

or

Get-WinEvent -LogName Microsoft-Windows-PrintService/Admin -FilterXPath ‘*/System/EventID=808’

Filtering using hashtables by ID and keywords (IMO this is way easier that XPath queries)

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'

or (note you can use wildcards (*) in this option too) - I find this functions better than the above but you don't get the hashtables filtering.

Get-WinEvent -Path [path to event log file] | Where-Object{$_.Message -like '[string]'}

to see the full data on this you can enumerate the properties of the items it finds by piping that - using Message instead of the * below will give you JUST the message area that you might be looking for.

Get-WinEvent -Path [path to event log file] | Where-Object{$_.Message -like '[string]'} | Select-Object -Property *

Display just the process ID

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property ProcessID