kiwi-cam/Get-DCSecurityLogs.ps1

## Get-DCSecurityLogs.ps1
<#
.Synopsis
    Gathers the Security.evtx files from each DC in your Forest
.DESCRIPTION
    This script will query your forest for a list of all Domain Controllers. It'll then connect to the C$ share on each server and
    get a copy of Security.evtx from C:\Windows\System32\Winevt\Logs\. These will then be output to the folder supplied as OutputFolder
.PARAMETER OutputFolder
    Required - The folder where the evtx files should be collected.
.EXAMPLE
    ./Get-DCSecurityLogs.ps1 E:\LogFiles\
.EXAMPLE
    ./Get-DCSecurityLogs.ps1 -OutputFolder E:\LogFiles\
.NOTES
  Version:        1.1
  Author:         Cameron McConnochie
  Creation Date:  10 Aug 2018
  Purpose/Change: Fixed bug where credential prompts reoccurred even when valid

  Version:        1.0
  Author:         Cameron McConnochie
  Creation Date:  2 Aug 2018
  Purpose/Change: Initial script development
#>

[CmdletBinding()]
Param(
    [Parameter(Mandatory=$True,Position=1)]
    [ValidateScript({
        if(-Not ($_ | Test-Path -PathType Container) ){
            throw "The OutputFolder argument must be a folder."
        }
        return $true
    })]
    [System.IO.FileInfo]$OutputFolder
)

$Forest = [System.Directoryservices.ActiveDirectory.Forest]::GetCurrentForest()

$Domains = $Forest.Domains
$DCs = $Domains | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}

Write-Progress -Activity "Getting all DC Security Logs..." -PercentComplete 0
$count = 0
ForEach ($DC in $DCs){
    Write-Progress -Activity "Getting all DC Security Logs..." -Status "Getting Security Logs from $($DC) ($($count+1) of $($DCs.Length))..." -PercentComplete (($count/$DCs.Length)*100)
    Write-Host "Getting Security Logs from $($DC)... " -NoNewline
    #Variable to track if user cancels
    [bool]$Abort = $false
    try{
        #Trying without additional credentials.
        Copy-Item -Path "\\$($DC)\C$\Windows\System32\WinEvt\Logs\Security.evtx" -Destination "$($OutputFolder)\$($DC.Split(".")[0])Security.evtx" -Force -ErrorAction Stop
    }catch{
        try{
            #Try with existing Credentials
            Write-Debug "Using existing Credentials ($($Creds.Username)) and connecting..."
            if ($Creds){New-PSDrive -Name Logs -PSProvider FileSystem -Root "\\$($DC)\C$\Windows\System32\WinEvt\Logs" -Credential $Creds -ErrorAction Stop | Out-Null}
            Write-Debug "Drive connected, attempting copy..."
            Copy-Item -Path "Logs:\Security.evtx" -Destination "$($OutputFolder)\$($DC.Split(".")[0])Security.evtx" -Force -ErrorAction Stop
        }catch{
            #Trying with new additional credentials
            Write-Debug "Getting new Credentials and connecting..."
            Do {
                IF(Test-Path "Logs:\"){
                    Write-Debug "Removing Drive map for $($DC)."
                    Remove-PSDrive -Name Logs
                }
                $Creds = Get-Credential -Message "Enter a username and password with Admin access to $($DC.Split(".")[0]):"

                #Prompt cancelled, abort operation
                if ($Creds -isnot [System.Management.Automation.PSCredential]) {
                    Write-Host "Cancelled" -ForegroundColor Red
                    $Abort = $true
                }

                New-PSDrive -Name Logs -PSProvider FileSystem -Root "\\$($DC)\C$\Windows\System32\WinEvt\Logs" -Credential $Creds -ErrorAction SilentlyContinue | Out-Null
            } While (-Not (Test-Path "Logs:\Security.evtx"))

            If(-not $Abort){
                Write-Debug "Drive connected, attempting copy..."
                Copy-Item -Path "Logs:\Security.evtx" -Destination "$($OutputFolder)\$($DC.Split(".")[0])Security.evtx" -Force -ErrorAction Stop
            }
        }
    }finally{
        #Cleanup
        IF(Test-Path "Logs:\"){
            Write-Debug "Removing Drive map for $($DC)."
            Remove-PSDrive -Name Logs
        }
    }
    Write-Host "Done" -ForegroundColor Green
    $count++
}

Write-Progress -Activity "Getting all DC Security Logs..." -Completed
	<#
	.Synopsis
	Gathers the Security.evtx files from each DC in your Forest
	.DESCRIPTION
	This script will query your forest for a list of all Domain Controllers. It'll then connect to the C$ share on each server and
	get a copy of Security.evtx from C:\Windows\System32\Winevt\Logs\. These will then be output to the folder supplied as OutputFolder
	.PARAMETER OutputFolder
	Required - The folder where the evtx files should be collected.
	.EXAMPLE
	./Get-DCSecurityLogs.ps1 E:\LogFiles\
	.EXAMPLE
	./Get-DCSecurityLogs.ps1 -OutputFolder E:\LogFiles\
	.NOTES
	Version: 1.1
	Author: Cameron McConnochie
	Creation Date: 10 Aug 2018
	Purpose/Change: Fixed bug where credential prompts reoccurred even when valid

	Version: 1.0
	Author: Cameron McConnochie
	Creation Date: 2 Aug 2018
	Purpose/Change: Initial script development
	#>

	[CmdletBinding()]
	Param(
	[Parameter(Mandatory=$True,Position=1)]
	[ValidateScript({
	if(-Not ($_ \| Test-Path -PathType Container) ){
	throw "The OutputFolder argument must be a folder."
	}
	return $true
	})]
	[System.IO.FileInfo]$OutputFolder
	)

	$Forest = [System.Directoryservices.ActiveDirectory.Forest]::GetCurrentForest()

	$Domains = $Forest.Domains
	$DCs = $Domains \| ForEach-Object {$_.DomainControllers} \| ForEach-Object {$_.Name}

	Write-Progress -Activity "Getting all DC Security Logs..." -PercentComplete 0
	$count = 0
	ForEach ($DC in $DCs){
	Write-Progress -Activity "Getting all DC Security Logs..." -Status "Getting Security Logs from $($DC) ($($count+1) of $($DCs.Length))..." -PercentComplete (($count/$DCs.Length)*100)
	Write-Host "Getting Security Logs from $($DC)... " -NoNewline
	#Variable to track if user cancels
	[bool]$Abort = $false
	try{
	#Trying without additional credentials.
	Copy-Item -Path "\\$($DC)\C$\Windows\System32\WinEvt\Logs\Security.evtx" -Destination "$($OutputFolder)\$($DC.Split(".")[0])Security.evtx" -Force -ErrorAction Stop
	}catch{
	try{
	#Try with existing Credentials
	Write-Debug "Using existing Credentials ($($Creds.Username)) and connecting..."
	if ($Creds){New-PSDrive -Name Logs -PSProvider FileSystem -Root "\\$($DC)\C$\Windows\System32\WinEvt\Logs" -Credential $Creds -ErrorAction Stop \| Out-Null}
	Write-Debug "Drive connected, attempting copy..."
	Copy-Item -Path "Logs:\Security.evtx" -Destination "$($OutputFolder)\$($DC.Split(".")[0])Security.evtx" -Force -ErrorAction Stop
	}catch{
	#Trying with new additional credentials
	Write-Debug "Getting new Credentials and connecting..."
	Do {
	IF(Test-Path "Logs:\"){
	Write-Debug "Removing Drive map for $($DC)."
	Remove-PSDrive -Name Logs
	}
	$Creds = Get-Credential -Message "Enter a username and password with Admin access to $($DC.Split(".")[0]):"

	#Prompt cancelled, abort operation
	if ($Creds -isnot [System.Management.Automation.PSCredential]) {
	Write-Host "Cancelled" -ForegroundColor Red
	$Abort = $true
	}

	New-PSDrive -Name Logs -PSProvider FileSystem -Root "\\$($DC)\C$\Windows\System32\WinEvt\Logs" -Credential $Creds -ErrorAction SilentlyContinue \| Out-Null
	} While (-Not (Test-Path "Logs:\Security.evtx"))

	If(-not $Abort){
	Write-Debug "Drive connected, attempting copy..."
	Copy-Item -Path "Logs:\Security.evtx" -Destination "$($OutputFolder)\$($DC.Split(".")[0])Security.evtx" -Force -ErrorAction Stop
	}
	}
	}finally{
	#Cleanup
	IF(Test-Path "Logs:\"){
	Write-Debug "Removing Drive map for $($DC)."
	Remove-PSDrive -Name Logs
	}
	}
	Write-Host "Done" -ForegroundColor Green
	$count++
	}

	Write-Progress -Activity "Getting all DC Security Logs..." -Completed