Last active
August 14, 2018 22:11
-
-
Save kiwi-cam/30dd4e8ceb1c849ded7e11316f7dea83 to your computer and use it in GitHub Desktop.
This script will query your forest for a list of all Domain Controllers. It'll then connect to the C$ share on each server and get a copy of Security.evtx from C:\Windows\System32\Winevt\Logs\
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Synopsis | |
Gathers the Security.evtx files from each DC in your Forest | |
.DESCRIPTION | |
This script will query your forest for a list of all Domain Controllers. It'll then connect to the C$ share on each server and | |
get a copy of Security.evtx from C:\Windows\System32\Winevt\Logs\. These will then be output to the folder supplied as OutputFolder | |
.PARAMETER OutputFolder | |
Required - The folder where the evtx files should be collected. | |
.EXAMPLE | |
./Get-DCSecurityLogs.ps1 E:\LogFiles\ | |
.EXAMPLE | |
./Get-DCSecurityLogs.ps1 -OutputFolder E:\LogFiles\ | |
.NOTES | |
Version: 1.1 | |
Author: Cameron McConnochie | |
Creation Date: 10 Aug 2018 | |
Purpose/Change: Fixed bug where credential prompts reoccurred even when valid | |
Version: 1.0 | |
Author: Cameron McConnochie | |
Creation Date: 2 Aug 2018 | |
Purpose/Change: Initial script development | |
#> | |
[CmdletBinding()] | |
Param( | |
[Parameter(Mandatory=$True,Position=1)] | |
[ValidateScript({ | |
if(-Not ($_ | Test-Path -PathType Container) ){ | |
throw "The OutputFolder argument must be a folder." | |
} | |
return $true | |
})] | |
[System.IO.FileInfo]$OutputFolder | |
) | |
$Forest = [System.Directoryservices.ActiveDirectory.Forest]::GetCurrentForest() | |
$Domains = $Forest.Domains | |
$DCs = $Domains | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name} | |
Write-Progress -Activity "Getting all DC Security Logs..." -PercentComplete 0 | |
$count = 0 | |
ForEach ($DC in $DCs){ | |
Write-Progress -Activity "Getting all DC Security Logs..." -Status "Getting Security Logs from $($DC) ($($count+1) of $($DCs.Length))..." -PercentComplete (($count/$DCs.Length)*100) | |
Write-Host "Getting Security Logs from $($DC)... " -NoNewline | |
#Variable to track if user cancels | |
[bool]$Abort = $false | |
try{ | |
#Trying without additional credentials. | |
Copy-Item -Path "\\$($DC)\C$\Windows\System32\WinEvt\Logs\Security.evtx" -Destination "$($OutputFolder)\$($DC.Split(".")[0])Security.evtx" -Force -ErrorAction Stop | |
}catch{ | |
try{ | |
#Try with existing Credentials | |
Write-Debug "Using existing Credentials ($($Creds.Username)) and connecting..." | |
if ($Creds){New-PSDrive -Name Logs -PSProvider FileSystem -Root "\\$($DC)\C$\Windows\System32\WinEvt\Logs" -Credential $Creds -ErrorAction Stop | Out-Null} | |
Write-Debug "Drive connected, attempting copy..." | |
Copy-Item -Path "Logs:\Security.evtx" -Destination "$($OutputFolder)\$($DC.Split(".")[0])Security.evtx" -Force -ErrorAction Stop | |
}catch{ | |
#Trying with new additional credentials | |
Write-Debug "Getting new Credentials and connecting..." | |
Do { | |
IF(Test-Path "Logs:\"){ | |
Write-Debug "Removing Drive map for $($DC)." | |
Remove-PSDrive -Name Logs | |
} | |
$Creds = Get-Credential -Message "Enter a username and password with Admin access to $($DC.Split(".")[0]):" | |
#Prompt cancelled, abort operation | |
if ($Creds -isnot [System.Management.Automation.PSCredential]) { | |
Write-Host "Cancelled" -ForegroundColor Red | |
$Abort = $true | |
} | |
New-PSDrive -Name Logs -PSProvider FileSystem -Root "\\$($DC)\C$\Windows\System32\WinEvt\Logs" -Credential $Creds -ErrorAction SilentlyContinue | Out-Null | |
} While (-Not (Test-Path "Logs:\Security.evtx")) | |
If(-not $Abort){ | |
Write-Debug "Drive connected, attempting copy..." | |
Copy-Item -Path "Logs:\Security.evtx" -Destination "$($OutputFolder)\$($DC.Split(".")[0])Security.evtx" -Force -ErrorAction Stop | |
} | |
} | |
}finally{ | |
#Cleanup | |
IF(Test-Path "Logs:\"){ | |
Write-Debug "Removing Drive map for $($DC)." | |
Remove-PSDrive -Name Logs | |
} | |
} | |
Write-Host "Done" -ForegroundColor Green | |
$count++ | |
} | |
Write-Progress -Activity "Getting all DC Security Logs..." -Completed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment