I want to filter the event log for a certain user, but I don't think there's an option to search by SAMID. There is a filter by UserId
though, according to here. Is the following correct syntax correct to search the user in the screen shot below?
$events = get-winevent -filterhashtable
@{ logname='security'; path="Archive-Security-2015-04-14-02-13-02-299.evtx";
UserId='S-1-5-21-220523388-838170752-839522115-yyyy' }
I get "No events were found that match the specified selection criteria." with the above command. But if I remove the UserId
key, a long list is returned, so there should be nothing wrong with logname
or path
.
Best Answer
Use the
-FilterXPath
option instead!In the following example, I've saved all events from the Security log on my machine to
seclog.evtx
on the Desktop and search for events with SubjectUserSidS-1-5-18
(LOCAL SYSTEM
):In a script, I would probably opt for a splatting table to make the statement a bit more readable (here limited to the last 10 events):
You can specify multiple non-exclusive criteria with
or
: