I’m working on a script that will allow me to search for the logoff times from a save log file (*.evt). Essentially, I’d like to be able to pass a username to the script but for now I’m hardcoding the username. I’d like to have it return the username and date/time.
Here’s the script:
$filter = @"
<QueryList>
<Query Id='0'>
<Select Path='C:\Saved Logs\AD1_2012July6.evt'>
*[System[(EventID=4634)]] and
*[EventData[Data[@Name='TargetUserName'] and (Data='ingramk')]]
</Select>
</Query>
</QueryList>
"@
Get-WinEvent -FilterXml $filter –Oldest
And here’s the error I receive:
ERROR: Get-WinEvent : The specified channel path is invalid
ERROR: At K:\PowerShell\Scripts\Test Scripts\Test-ListLogoff.ps1:38 char:13
ERROR: + Get-WinEvent <<<< -FilterXml $filter -Oldest
ERROR: + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
ERROR: + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
ERROR:
As I’m not familiar with XML and how to use it plus I’m still relatively new to PowerShell, I’m at a complete loss here. I’ve done several hours of research online and I still can’t figure out why I’m getting this error.
I've tried both single & double quotes inside the filter string and in both cases I receive the same error msg above.
Thanks again,
Kurt