PowerShell cmdLet Get-WinEvent

-filterXml

$time_from = (get-date).AddHours(-10).ToString( "yyyy-MM-ddTHH:mm:ss.fffZ" )

[xml] $qry = @"
  <QueryList>
    <Query Id="0" Path="Security">
      <Select Path="Security">
        *[System[TimeCreated[@SystemTime &gt;= '$time_from' ]]]
      </Select>
    </Query>
  </QueryList>
"@

get-winEvent -filterXml $qry

TODO: get-winEvent vs get-eventLog

get-winEvent will eventually(?) replace get-eventLog

get-eventLog only queries the «traditional» event logs (system, application and security), it cannot query ETL type of logs.

get-eventLog is easier to use than get-winEvent.

get-winEvent setup is possible, get-eventLog setup throws an error.

get-eventLog returns instances of System.Diagnostics.EventLogEntry objects, get-winEvent instances of System.Diagnostics.Eventing.Reader.EventLogRecord.

links:

Use PowerShell Cmdlet to Filter Event Log for Easy Parsing

PowerShell cmdLet Get-WinEvent

-filterXml

TODO: get-winEvent vs get-eventLog

See also