Powershell query using Get-WinEvent

I try get EventID 4 from System log, with the most latest entry from source Security-Kerberos from remote computer, but failed. Anyone could advise on this? Thanks.

OS platform: Windows 2012
Log Name: System
Source: Security-Kerberos
Event ID: 4

get-winevent -FilterHashtable @{Logname='Microsoft-Windows-Security-Kerberos';ID=4} -MaxEvents 1 -ComputerName MyRemoteServer1

Open in new window

get-winevent -FilterHashtable @{Logname='Security-Kerberos';ID=4} -MaxEvents 1 -ComputerName MyRemoteServer1

Open in new window

I'm getting error like:-
get-winevent : There is not an event provider on the XXX computer that matches "Microsoft-Windows-Kerberos/Operational".
get-winevent : There is not an event log on the XXX computer that matches "Microsoft-Windows-Security-Kerberos".

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
You could use either of the following commands:

get-winevent -FilterHashtable @{Logname="System";ProviderName="Microsoft-Windows-Security-Kerberos"}

Open in new window


get-winevent -FilterHashtable @{Logname="System"; ID="4"}

Open in new window

kunghui80Author Commented:
I'm getting this error for your 1st suggestion. Possible to have both Event ID and Source in single command line?

get-winevent : The specified providers do not write events to any of the specified logs.
At line:1 char:1
+ get-winevent -FilterHashtable @{Logname="System";ProviderName="Microsoft-Windows ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : LogsAndProvidersDontOverlap,Microsoft.PowerShell.Commands.GetWinEventCommand

get-winevent : The parameter is incorrect
At line:1 char:1
+ get-winevent -FilterHashtable @{Logname="System";ProviderName="Microsoft-Windows ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
Dan McFaddenSystems EngineerCommented:
The error is stating that the Security-Kerberos provider is not on the computer where the command is being run.

And the 2nd command?

Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

kunghui80Author Commented:
I have checked that Event ID 4 does exist, with source Security-Kerberos.

For 2nd command, it does work, but my purpose is to get the latest entry from the event using -MaxEvents parameter. I list down the provider name, it shows "Microsoft-Windows-Security-Kerberos", i did give that a try too, but doesn't work either.

   ProviderName: Microsoft-Windows-Security-Kerberos

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
01/01/2015 00:00:01 AM            4 Error            The Kerberos client received a KRB_AP_ERR_MODIFIED error from th...
Dan McFaddenSystems EngineerCommented:
What is the OS of the Computer where the command will be run?

kunghui80Author Commented:
My script server will be Windows 2012 R2 and I'm going to run against Win2008/Win2012 remotely from this script server to make the query.  Will that be any different?

For this showcase, I'm running against Win2008 server.
Dan McFaddenSystems EngineerCommented:
The Get-WinEvent is not supported on Windows Server 2008.  It is only available on Windows Server 2008 R2 and greater.   You need to be testing on Win2012 R2.

Have you tried the "Get-EventLog" command?

 Get-EventLog -LogName System -Source Kerberos -Newest 1

Open in new window

This will work on all OSes.

Dan McFaddenSystems EngineerCommented:
Reference link:  https://technet.microsoft.com/en-us/library/hh849682.aspx

Take a look at the NOTES section which explains the supported OSes.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kunghui80Author Commented:
Thanks Dan, older OS are not supported, thanks for highlight.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.