I came accross this Get-WinEvent Obtain Interactive Logon Messages Only and tried to play around with OR in the same case:
Get-WinEvent -FilterHashtable @{Path="c:\test.evtx"; id=4624;} | Where-Object {$_.properties[8].value -eq 2} OR {$_.properties[8].value -eq 3}
and I wonder that this is not working?
and what happens if I have two different eventid's with two different where clause, e.g. EventId 4624 and logontype 2 or logontype 3
OR
eventid 1234 and hostname = localhost.
What I need to do is check only logontype:2 and logontype 3 and print Network-Details when logontype is 3 (remote).
OR is not valid in PowerShell... You probably mean -or!
In which case your code ends up looking like this:
Get-WinEvent -FilterHashtable @{Path="c:\test.evtx"; id=4624;} |
Where-Object {$_.properties[8].value -eq 2 -OR $_.properties[8].value -eq 3}
As an addition, I often find the -in operator to be clearer in this kind of scenario
Get-WinEvent -FilterHashtable @{Path="c:\test.evtx"; id=4624;} |
Where-Object {$_.properties[8].value -in 2, 3}