Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This is a fork of the Endgame script scrape-events.ps1. I gave it more functionality to take any event log and to be able to query remotely or take a path to the event log. Original Endgame script cant be found here: https://github.com/endgameinc/eqllib/blob/master/utils/scrape-events.ps1.
function Get-EventProps {
[cmdletbinding()]
Param (
[parameter(ValueFromPipeline)]
$event
)
Process {
$eventXml = [xml]$event.ToXML()
$eventKeys = $eventXml.Event.EventData.Data
$Properties = @{}
$Properties.EventId = $event.Id
For ($i=0; $i -lt $eventKeys.Count; $i++) {
$Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text'
}
[pscustomobject]$Properties
}
}
function reverse {
$arr = @($input)
[array]::reverse($arr)
$arr
}
function Get-LatestLogs {
<#
.EXAMPLE
Get-LatestLogs -computername localhost -Logname security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json
#>
[cmdletbinding()]
param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$MaxEvents=5000,
[string[]]$Computername,
[string]$Logname
)
foreach ($comp in $Computername)
{
Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname} -MaxEvents $MaxEvents | Get-EventProps | reverse
}
}
function Get-LatestLogsFromPath {
<#
.EXAMPLE
Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json
#>
[cmdletbinding()]
param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True)]
[int32]$MaxEvents=5000,
[string]$Path
)
Get-WinEvent -filterhashtable @{Path=$Path} -MaxEvents $MaxEvents | Get-EventProps | reverse
}
function Get-LatestLogsId {
<#
.EXAMPLE
Get-LatestLogsId -computername localhost -Logname security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json
#>
[cmdletbinding()]
param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$MaxEvents=5000,
[string[]]$Computername,
[string]$Logname,
[string[]]$Id
)
foreach ($comp in $Computername)
{
Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse
}
}
function Get-LatestLogsFromPathId {
<#
.EXAMPLE
Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json
#>
[cmdletbinding()]
param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True]
[int32]$MaxEvents=5000,
[string]$Path,
[string[]]$Id
)
Get-WinEvent -filterhashtable @{Path=$Path;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment