Data Collection Rule : XPath queries to filter 7036 without WMI etc
Hi,
In PowerShell on server I’m trying to filter out some events from Event Id 7036 Service Control Manager Start stop services.
I’m trying to filter out WMI Performance Adapter, so I don’t want to have those events imported in log analytic workspace with data collection rule.
Can you help me what I’m doing wrong ?
$XPath = 'System!*[System[(EventID="7036")]] and [EventData[Data[@Name="param1"]!="WMI Performance Adapter"]]'
Get-WinEvent -FilterXPath $XPath
Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation..
At line:3 char:1
+ Get-WinEvent -FilterXPath $XPath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
Get-WinEvent : No events were found that match the specified selection criteria.
At line:3 char:1
+ Get-WinEvent -FilterXPath $XPath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
$XPath = 'System!*[System[(EventID="7036")]] and [EventData[Data[@Name="param1"]!="WMI Performance Adapter"]]'
Get-WinEvent -LogName 'System' -FilterXPath $XPath
Get-WinEvent : The specified query is invalid
At line:2 char:1
+ Get-WinEvent -LogName 'System' -FilterXPath $XPath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand