This is a fork of the Endgame script scrape-events.ps1. I gave it more functionality to take any event log and to be able to query remotely or take a path to the event log. Original Endgame script cant be found here: https://github.com/endgameinc/eqllib/blob/master/utils/scrape-events.ps1.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-EventProps { | |
| [cmdletbinding()] | |
| Param ( | |
| [parameter(ValueFromPipeline)] | |
| $event | |
| ) | |
| Process { | |
| $eventXml = [xml]$event.ToXML() | |
| $eventKeys = $eventXml.Event.EventData.Data | |
| $Properties = @{} | |
| $Properties.EventId = $event.Id | |
| For ($i=0; $i -lt $eventKeys.Count; $i++) { | |
| $Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text' | |
| } | |
| [pscustomobject]$Properties | |
| } | |
| } | |
| function reverse { | |
| $arr = @($input) | |
| [array]::reverse($arr) | |
| $arr | |
| } | |
| function Get-LatestLogs { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogs -computername localhost -Logname security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True, | |
| HelpMessage="Enter ComputerName")] | |
| [int32]$MaxEvents=5000, | |
| [string[]]$Computername, | |
| [string]$Logname | |
| ) | |
| foreach ($comp in $Computername) | |
| { | |
| Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } | |
| } | |
| function Get-LatestLogsFromPath { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True)] | |
| [int32]$MaxEvents=5000, | |
| [string]$Path | |
| ) | |
| Get-WinEvent -filterhashtable @{Path=$Path} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } | |
| function Get-LatestLogsId { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogsId -computername localhost -Logname security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True, | |
| HelpMessage="Enter ComputerName")] | |
| [int32]$MaxEvents=5000, | |
| [string[]]$Computername, | |
| [string]$Logname, | |
| [string[]]$Id | |
| ) | |
| foreach ($comp in $Computername) | |
| { | |
| Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } | |
| } | |
| function Get-LatestLogsFromPathId { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True] | |
| [int32]$MaxEvents=5000, | |
| [string]$Path, | |
| [string[]]$Id | |
| ) | |
| Get-WinEvent -filterhashtable @{Path=$Path;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment