这项工作对我来说:
Get-WinEvent -FilterHashTable @{Logname = "ForwardedEvents" ; ID = 4625,4740}
(....我期待的结果......)
这有效:
$EventId = "4625"
Get-WinEvent -FilterHashTable @{Logname = "ForwardedEvents" ; ID = $EventId}
这不起作用:
$EventId = "4625,4740"
Get-WinEvent -FilterHashTable @{Logname = "ForwardedEvents" ; ID = $EventId}
...错误
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:13
+ Get-WinEvent <<<< -FilterHashTable @{Logname = "ForwardedEvents" ; ID = $EventIds}
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
有人可以帮忙吗?
答案 0 :(得分:4)
在您的示例中,使用多个ID,您正在做两件事。
$EventId = "4625,4740"定义一个字符串。您的工作示例使用定义为逗号分隔数字的整数数组。
只需将其更改为$EventId = 4625,4740(删除引号)即可。看看我们看到的documentation for Get-WinEvent and the -FilterHashTable:
-- ID=<Int32[]>
所以它期待一个数组而不是一个字符串。