Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

How to pass a specific xml filter in Powershell to request events?

byMR
June 14, 2023
# Define the remote server name
$remoteServer = "SERVER_NAME"

# Define the credentials for authentication
$username = "USERNAME"
$password = "PASSWORD"
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList   $username, $securePassword

# Define the time range for the last half hour
$startTime = (Get-Date).AddMinutes(-30)
$endTime = Get-Date

# Define the event ID for Netlogon 5810
$eventID = 5810

# Construct the filter for the desired event ID and time range
$filter = @"
<QueryList>
    <Query>
        <Select Path="Security">
            *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=$eventID)]]
            and
            *[System[TimeCreated[@SystemTime>='$($startTime.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))' and @SystemTime<='$($endTime.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))']]]
        </Select>
    </Query>
</QueryList>
"@

# Retrieve the events from the remote server with authentication
$events = Get-WinEvent -ComputerName $remoteServer -FilterXml $filter -Credential $credential

# Count the number of events
$eventCount = $events.Count

# Display the result
Write-Host "Number of Netlogon 5810 events in the last half hour: $eventCount"

`

Running this code with powershell provides this error :

Get-WinEvent : Impossible de lier le paramètre « FilterXml ».
Impossible de convertir la valeur « 

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel

*[System[Provider[@Name=’Microsoft-Windows-Security-Auditing’] and (EventID=5810)]]
and
*[System[TimeCreated[@SystemTime>=’2023-06-14T13:24:15Z’ and @SystemTime<=’2023-06-14T13:54:15Z’]]]

» en type «System.Xml.XmlDocument». Erreur: «Le caractère ‘=’, valeur hexadécimale 0x3D, ne peut pas commencer un nom.
Ligne 6, position 90.» Au caractère C:\Program
Files\NSClient++\scripts\OPSSI\test.ps1:31 : 63

  • … = Get-WinEvent -ComputerName $remoteServer -FilterXml $filter -Creden …
  •                                                       ~~~~~~~
    • CategoryInfo : InvalidArgument : (:) [Get-WinEvent], ParameterBindingException
    • FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.GetWinEventCommand

Can someone tell me how to correct the filter variable ?

I tried to execute this code to get a count of all the 5810 netlogon events on a remote server in the last half hour and I got the above error.

>Solution :

You need to escape the >= and <= operators inside the XPath so they aren’t interpreted as XML tag delimiters.

The escape sequence for < is &lt;, and for > it’s &gt;:

$filter = @"
<QueryList>
    <Query>
        <Select Path="Security">
            *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=$eventID)]]
            and
            *[System[TimeCreated[@SystemTime&gt;='$($startTime.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))' and @SystemTime&lt;='$($endTime.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))']]]
        </Select>
    </Query>
</QueryList>
"@
byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading