This is a fork of the Endgame script scrape-events.ps1. I gave it more functionality to take any event log and to be able to query remotely or take a path to the event log. Original Endgame script cant be found here: https://github.com/endgameinc/eqllib/blob/master/utils/scrape-events.ps1.
| function Get-EventProps { | |
| [cmdletbinding()] | |
| Param ( | |
| [parameter(ValueFromPipeline)] | |
| $event | |
| ) | |
| Process { | |
| $eventXml = [xml]$event.ToXML() | |
| $eventKeys = $eventXml.Event.EventData.Data | |
| $Properties = @{} | |
| $Properties.EventId = $event.Id | |
| For ($i=0; $i -lt $eventKeys.Count; $i++) { | |
| $Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text' | |
| } | |
| [pscustomobject]$Properties | |
| } | |
| } | |
| function reverse { | |
| $arr = @($input) | |
| [array]::reverse($arr) | |
| $arr | |
| } | |
| function Get-LatestLogs { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogs -computername localhost -Logname security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True, | |
| HelpMessage="Enter ComputerName")] | |
| [int32]$MaxEvents=5000, | |
| [string[]]$Computername, | |
| [string]$Logname | |
| ) | |
| foreach ($comp in $Computername) | |
| { | |
| Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } | |
| } | |
| function Get-LatestLogsFromPath { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True)] | |
| [int32]$MaxEvents=5000, | |
| [string]$Path | |
| ) | |
| Get-WinEvent -filterhashtable @{Path=$Path} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } | |
| function Get-LatestLogsId { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogsId -computername localhost -Logname security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True, | |
| HelpMessage="Enter ComputerName")] | |
| [int32]$MaxEvents=5000, | |
| [string[]]$Computername, | |
| [string]$Logname, | |
| [string[]]$Id | |
| ) | |
| foreach ($comp in $Computername) | |
| { | |
| Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } | |
| } | |
| function Get-LatestLogsFromPathId { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True] | |
| [int32]$MaxEvents=5000, | |
| [string]$Path, | |
| [string[]]$Id | |
| ) | |
| Get-WinEvent -filterhashtable @{Path=$Path;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment