Search through all archived event logs in folder

hilzz2 · 2021-05-11T03:19:21.000Z

Is there a way to search through all event file logs in a folder?

I’ve tried the following code but it didn’t seem to work

$EventLogonIDs="4720"Get-WinEvent -FilterHashtable @{Path="C:\windows\system32\winevt\Logs\Security*.evtx";id= @($EventLogonIDs);StartTime="1/1/2017";EndTime="1/8/2023"} | Export-Csv c:\result.csv

Neally · 2021-05-11T03:20:38.000Z

If you post code, please use the ‘Insert Code’ button. Please and thank you!

PLEASE READ BEFORE POSTING! Read if you're new to the PowerShell forum! Programming & Development

Hi, and welcome to the PowerShell forum! Don’t apologize for being a “noob” or “newbie” or “n00b.” There’s just no need – nobody will think you’re stupid, and the forums are all about asking questions. Just ask! Use a descriptive subject. Don’t say “Need help” or “PowerShell Help”, actually summarize what the problem is. It helps the rest of us keep track of which problem is which. Don’t post massive scripts. We’re all volunteers and we don’t have time to read all that, nor will we copy…

hilzz2 · 2021-05-11T03:22:19.000Z

Done and thanks for that!

adrian_ych · 2021-05-11T03:34:06.000Z

It depends on what OS and what you are trying to do ??

You can easily set custom views to see only the events that occur OR you can set filters to filter out certain events.

Neally · 2021-05-11T03:36:49.000Z

hilzz:

I’ve tried the following code but it didn’t seem to work

Your code seems to work just fine.

Do you run powershell as admin? that’s needed for powershell to get access to the eventlogs

2021-05-10_22-37-39.png800×140 34.5 KB

jitensh · 2021-05-11T03:37:24.000Z

you will need to try something like

Get-ChildItem -include *.evt,*.evtx -Path C:\windows\system32\winevt\Logs\Security -recurse |

ForEach-Object {

"Parsing $($_.fullname)`r`n"

Try

{ Get-WinEvent -FilterHashtable @{

Path=$_.fullname

ID=4720;

StartTime="1/1/2017" ;

EndTime="1/8/2023"} -EA Stop}

Catch [System.Exception] {"No errors in current log"}

}

DoctorDNS · 2021-05-11T07:42:45.000Z

A small thing - the Spiceworks editor has mangled your code. Can you RE-edit it??

Also, as a general rule “the code does not work” is not helpful to me to work out what might be going wrong. Please consider posting the exact error message. It turns out that PowerShell error messages are pretty good but sometimes confusing given all the red ink. PowerShell 7 is a lot better in this respect.