I am trying to filter events via the following commands to get specific logs from the last 24 hours:

$EventLogFilter = @{logname='ForwardedEvents'; id=4771,4625,4768; StartTime=(Get-Date).AddHours(-24)}
$LogonEvents = Get-WinEvent -FilterHashtable $EventLogFilter

I am very confused about the output. It only returns the following events:



And yet look at all of the events in the log it did not pickup:



There are many more events but I just took a screenshot to show this in the GUI.

Why isn't it picking up all of these events.

Another Example:

$EventLogFilter = @{logname='ForwardedEvents'; id=4771,4625,4768; StartTime=(Get-Date).AddHours(-24)}
$LogonEvents = (Get-WinEvent -FilterHashtable $EventLogFilter) 
$LogonEvents.count
14

Now, if I remove the StartTime filter from Get-WinEvent and filter with where-object you can see how many of these events there actually are:

$EventLogFilter = @{logname='ForwardedEvents'; id=4771,4625,4768}
$LogonEvents = (Get-WinEvent -FilterHashtable $EventLogFilter)
($LogonEvents | ?{$_.TimeCreated -ge (Get-Date).Addhours(-24)}).count
19497

So it missed almost 20,000 event logs! What the heck is going on, am I doing something stupid, is Get-WinEvent broken? Is there a limit to the number of logs this cmldet can filter before it freaks out and produces unreliable results?

Your script only looks at the last 24 hours:

StartTime=(Get-Date).AddHours(-24)

Yeah, which should return 19497 logs- or am I missing something?

Try with -FilterXML

Here is the XML Filter...

<QueryList><Query Id="0" Path="ForwardedEvents"><Select Path="ForwardedEvents">*[System[(EventID=4771) and TimeCreated[timediff(@Sy
stemTime) &lt;= 3600000]]]</Select></Query></QueryList>

The time listed (In bold) is in milliseconds for 1 hour (60 Minutes*60 Seconds*1000). Alter this as required.

I have the same exact requirement and the FilterXML works perfectly.

YES. That works perfectly. The following gave me exactly what I wanted with added convenience of letting the GUI built the query for me:

$FilterXML = '<QueryList>
  <Query Id="0" Path="ForwardedEvents">
    <Select Path="ForwardedEvents">*[System[(EventID=4771 or EventID=4625 or EventID=4768) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select>
  </Query>
</QueryList>'
$LogonEvents = Get-WinEvent -FilterXml $FilterXML
$LogonEvents | sort -Property TimeCreated | Select-Object -First 1

Doing ($LogonEvents | sort -Property TimeCreated | Select-Object -First 1) I was able to confirm the oldest log was exactly 24 hours old.

Should have poked around in the docs more because I didn't event know about -filterxml. I think I'll be using that from now on.

FIlterHAsh works perfectly if you use it correctly and if you have all of the updates for Net 4.0