Hi,
In PowerShell on server I’m trying to filter out some events from Event Id 7036 Service Control Manager Start stop services.
I’m trying to filter out WMI Performance Adapter, so I don’t want to have those events imported in log analytic workspace with data collection rule.
Can you help me what I’m doing wrong ?
$XPath = 'System!*[System[(EventID="7036")]] and [EventData[Data[@Name="param1"]!="WMI Performance Adapter"]]'
Get-WinEvent -FilterXPath $XPath
Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation..
At line:3 char:1
+ Get-WinEvent -FilterXPath $XPath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
Get-WinEvent : No events were found that match the specified selection criteria.
At line:3 char:1
+ Get-WinEvent -FilterXPath $XPath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
$XPath = 'System!*[System[(EventID="7036")]] and [EventData[Data[@Name="param1"]!="WMI Performance Adapter"]]'
Get-WinEvent -LogName 'System' -FilterXPath $XPath
Get-WinEvent : The specified query is invalid
At line:2 char:1
+ Get-WinEvent -LogName 'System' -FilterXPath $XPath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
