Hi.
Using WMI to query the eventlog is quite simple, using Win32_NTLogEvent, for example:
Get-WmiObject -query "SELECT *FROM Win32_NTLogEvent WHERE (logfile='Application' and SourceName='Something')
However, if i want to query a log that contains events collected with Windows Event Collector, they don't show up in the results, even tho events from other sources in the same log does.
I can use the cmdlet Get-Eventlog to retrieve WEC events, but that does not solve my problem.
Get-EventLog HardwareEvents
What i am trying to do, is to use the __InstanceCreationEvent and do something (forward it to a kafka instance) when a new event is inserted in the log. See
example from Scripting Guy and Logstash
Eventlog input module for example usage.
$query = "Select * from __InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' And (TargetInstance.LogFile = 'HardwareEvents')"
$Eventwatcher = New-Object management.managementEventWatcher $Query
$Event = $Eventwatcher.waitForNextEvent()
This works perfectly for normal logs, but not with forwarded events from Windows Event Collector.
Any suggestions?
Best regards
