indented-automation/Watch-WinEvent.ps1

## Watch-WinEvent.ps1

function Watch-WinEvent {
    <#
    .SYNOPSIS
        Watch for events matching a query in the event log.

    .DESCRIPTION
        Watch for events matching a query in the event log.

    #>

    [CmdletBinding()]
    param (
        # The computer name to get events from.
        [Parameter(Position = 0)]
        [string]$ComputerName,

        # A credential to use for this operation.
        [PSCredential]$Credential,

        # The name of the event log.
        [string]$LogName

        # An event log QueryList written in XML.
        [string]$Query,

        # Wait for the node if it reboots then resume watching.
        [switch]$Wait
    )

    $activity = 'Watching for events on {0}' -f $ComputerName

    do {
        try {
            Write-Progress -Activity $activity -Status Connecting

            $sessionParams = @{
                ComputerName  = $ComputerName
                SessionOption = New-PSSessionOption -IdleTimeout 60000 -OperationTimeout 0
                ErrorAction   = 'Stop'
            }
            if ($PSBoundParameters.ContainsKey('Credential')) {
                $sessionParams['Credential'] = $Credential
            }
            $session = New-PSSession @sessionParams
            $count = 1

            Write-Progress -Activity $activity -Status Watching

            $invokeParams = @{
                Session     = $session
                ScriptBlock = {
                    $eventLogQuery = [System.Diagnostics.Eventing.Reader.EventLogQuery]::new(
                        $using:LogName,
                        'LogName',
                        $using:Query
                    )

                    $eventLogWatcher = [System.Diagnostics.Eventing.Reader.EventLogWatcher]::new(
                        $eventLogQuery
                    )

                    $params = @{
                        InputObject = $eventLogWatcher
                        EventName   = 'EventRecordWritten'
                    }
                    Register-ObjectEvent @params

                    $eventLogWatcher.Enabled = $true

                    while ($true) {
                        Wait-Event | Get-Event | ForEach-Object {
                            $eventRecord = $_.SourceEventArgs.EventRecord
                            $eventRecord.PSObject.Properties.Add(
                                [System.Management.Automation.PSNoteProperty]::new(
                                    'Message',
                                    $eventRecord.FormatDescription()
                                )
                            )
                            $eventRecord

                            $_ | Remove-Event
                        }
                    }
                }
            }
            Invoke-Command @invokeParams
        } catch [System.Management.Automation.Remoting.PSRemotingTransportException] {
            Write-Progress -Activity $activity -Status ('Waiting for connection {0}' -f ($count++))

            Start-Sleep -Seconds 5
        } catch {
            Write-Error -ErrorRecord $_
        }
    } while ($Wait)
}

	function Watch-WinEvent {
	<#
	.SYNOPSIS
	Watch for events matching a query in the event log.

	.DESCRIPTION
	Watch for events matching a query in the event log.

	#>

	[CmdletBinding()]
	param (
	# The computer name to get events from.
	[Parameter(Position = 0)]
	[string]$ComputerName,

	# A credential to use for this operation.
	[PSCredential]$Credential,

	# The name of the event log.
	[string]$LogName

	# An event log QueryList written in XML.
	[string]$Query,

	# Wait for the node if it reboots then resume watching.
	[switch]$Wait
	)

	$activity = 'Watching for events on {0}' -f $ComputerName

	do {
	try {
	Write-Progress -Activity $activity -Status Connecting

	$sessionParams = @{
	ComputerName = $ComputerName
	SessionOption = New-PSSessionOption -IdleTimeout 60000 -OperationTimeout 0
	ErrorAction = 'Stop'
	}
	if ($PSBoundParameters.ContainsKey('Credential')) {
	$sessionParams['Credential'] = $Credential
	}
	$session = New-PSSession @sessionParams
	$count = 1

	Write-Progress -Activity $activity -Status Watching

	$invokeParams = @{
	Session = $session
	ScriptBlock = {
	$eventLogQuery = [System.Diagnostics.Eventing.Reader.EventLogQuery]::new(
	$using:LogName,
	'LogName',
	$using:Query
	)

	$eventLogWatcher = [System.Diagnostics.Eventing.Reader.EventLogWatcher]::new(
	$eventLogQuery
	)

	$params = @{
	InputObject = $eventLogWatcher
	EventName = 'EventRecordWritten'
	}
	Register-ObjectEvent @params

	$eventLogWatcher.Enabled = $true

	while ($true) {
	Wait-Event \| Get-Event \| ForEach-Object {
	$eventRecord = $_.SourceEventArgs.EventRecord
	$eventRecord.PSObject.Properties.Add(
	[System.Management.Automation.PSNoteProperty]::new(
	'Message',
	$eventRecord.FormatDescription()
	)
	)
	$eventRecord

	$_ \| Remove-Event
	}
	}
	}
	}
	Invoke-Command @invokeParams
	} catch [System.Management.Automation.Remoting.PSRemotingTransportException] {
	Write-Progress -Activity $activity -Status ('Waiting for connection {0}' -f ($count++))

	Start-Sleep -Seconds 5
	} catch {
	Write-Error -ErrorRecord $_
	}
	} while ($Wait)
	}