Get-WinEvent is a PowerShell command for working with Windows event logs.
FilterHashtable
There’s lots of good information about the various FilterHashtable keys in Microsoft’s documentation. Some important ones:
- LogName (String)
- ProviderName (String)
- Path (String)
- Keywords (Long)
- ID (Int32)
- Level (Int32)
- StartTime (DateTime)
- EndTime (DateTime)
- UserID (SID)
- Data (String)
- [NamedData] (String)
Wildcards can be used with LogName and ProviderName, but not with other keys.
Event Viewer displays most of these values in the “General” when viewing an individual log entry, though note that Keywords is translated to a string.
Keywords
- AuditFailure (4503599627370496)
- AuditSuccess (9007199254740992)
- CorrelationHint2 (18014398509481984)
- EventLogClassic (36028797018963968)
- Sqm (2251799813685248)
- WdiDiagnostic (1125899906842624)
- WdiContext (562949953421312)
- ResponseTime (281474976710656)
- None (0)
Levels
- Verbose (5)
- Informational (4)
- Warning (3)
- Error (2)
- Critical (1)
- LogAlways (0)
Event IDs
Windows event IDs
- 104 — Event log was cleared
- 1102 — Audit log was cleared (517 on Windows 2003 and earlier)
- 4104 — PowerShell command and script logging
- 4626 — Successful logon
- LogonType 3 represents a (generic) network login
- LogonType 9 represents a logon where the outbound credentials are different than the credentials used to authenticate to the account that is initiating that login (only logged by the host initiating the connection, however)
It’s hard to find documentation about event ID, and the meaning seems to shift between versions of Windows.
Link to original