Created
January 10, 2024 17:38
-
-
Save figueroadavid/66d2fe1183406cb09a977bd4e122a373 to your computer and use it in GitHub Desktop.
Test multiple logs for different event sources that may or may not be in the registry keys
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Test-EventSourceByLog { | |
| <# | |
| .SYNOPSIS | |
| This tests for multiple sources in multiple eventlogs | |
| .DESCRIPTION | |
| This works regardless of if it exists directly in registry or not. | |
| This is different than the Test-EventSource which uses a dotnet function | |
| to check for all the sources that are directly listed in the registry. | |
| .PARAMETER EventSource | |
| The list of eventsources to check | |
| .PARAMETER LogName | |
| The list of eventlogs to check | |
| .EXAMPLE | |
| PS C:\> Test-EventSourceByLog -EventSource gupdate,egdgeupdate,drftesting -LogName Application | |
| Name Log Exists | |
| ---- --- ------ | |
| gupdate Application True | |
| egdgeupdate Application False | |
| drftesting Application False | |
| .EXAMPLE | |
| PS C:\> Test-EventSourceByLog -EventSource gupdate,egdgeupdate,'service control manager' -LogName Application,System | |
| Name Log Exists | |
| ---- --- ------ | |
| gupdate Application True | |
| egdgeupdate Application False | |
| service control manager Application False | |
| gupdate System False | |
| egdgeupdate System False | |
| service control manager System True | |
| .NOTES | |
| The primary functional code came from Santiago Squarzon (https://github.com/santisq) | |
| #> | |
| param( | |
| [parameter(Mandatory,ValueFromPipelineByPropertyName,ValueFromPipeline)] | |
| [string[]]$EventSource, | |
| [parameter(Mandatory, ValueFromPipelineByPropertyName, ValueFromPipeline)] | |
| [string[]]$LogName | |
| ) | |
| foreach ($Log in $LogName) { | |
| foreach ($Source in $EventSource) { | |
| $SourceLog = $Log | |
| try { | |
| $filter = "*[System/Provider/@Name='$Source']" | |
| $reader = [System.Diagnostics.Eventing.Reader.EventLogReader]::new( | |
| [System.Diagnostics.Eventing.Reader.EventLogQuery]::new( | |
| $Log, | |
| [System.Diagnostics.Eventing.Reader.PathType]::LogName, | |
| $filter)) | |
| $SourceFound = $reader.ReadEvent() -as [bool] | |
| } | |
| finally { | |
| if ($reader) { $reader.Dispose() } | |
| } | |
| [PSCustomObject]@{ | |
| Name = $Source | |
| Log = $SourceLog | |
| Exists = $SourceFound | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment