This is a fork of the Endgame script scrape-events.ps1. I gave it more functionality to take any event log and to be able to query remotely or take a path to the event log. Original Endgame script cant be found here: https://github.com/endgameinc/eqllib/blob/master/utils/scrape-events.ps1.
function Get-EventProps { | |
[cmdletbinding()] | |
Param ( | |
[parameter(ValueFromPipeline)] | |
$event | |
) | |
Process { | |
$eventXml = [xml]$event.ToXML() | |
$eventKeys = $eventXml.Event.EventData.Data | |
$Properties = @{} | |
$Properties.EventId = $event.Id | |
For ($i=0; $i -lt $eventKeys.Count; $i++) { | |
$Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text' | |
} | |
[pscustomobject]$Properties | |
} | |
} | |
function reverse { | |
$arr = @($input) | |
[array]::reverse($arr) | |
$arr | |
} | |
function Get-LatestLogs { | |
<# | |
.EXAMPLE | |
Get-LatestLogs -computername localhost -Logname security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
#> | |
[cmdletbinding()] | |
param ( | |
[Parameter(Mandatory=$false, | |
ValueFromPipeline=$True, | |
HelpMessage="Enter ComputerName")] | |
[int32]$MaxEvents=5000, | |
[string[]]$Computername, | |
[string]$Logname | |
) | |
foreach ($comp in $Computername) | |
{ | |
Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
} | |
} | |
function Get-LatestLogsFromPath { | |
<# | |
.EXAMPLE | |
Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
#> | |
[cmdletbinding()] | |
param ( | |
[Parameter(Mandatory=$false, | |
ValueFromPipeline=$True)] | |
[int32]$MaxEvents=5000, | |
[string]$Path | |
) | |
Get-WinEvent -filterhashtable @{Path=$Path} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
} | |
function Get-LatestLogsId { | |
<# | |
.EXAMPLE | |
Get-LatestLogsId -computername localhost -Logname security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
#> | |
[cmdletbinding()] | |
param ( | |
[Parameter(Mandatory=$false, | |
ValueFromPipeline=$True, | |
HelpMessage="Enter ComputerName")] | |
[int32]$MaxEvents=5000, | |
[string[]]$Computername, | |
[string]$Logname, | |
[string[]]$Id | |
) | |
foreach ($comp in $Computername) | |
{ | |
Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
} | |
} | |
function Get-LatestLogsFromPathId { | |
<# | |
.EXAMPLE | |
Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
#> | |
[cmdletbinding()] | |
param ( | |
[Parameter(Mandatory=$false, | |
ValueFromPipeline=$True] | |
[int32]$MaxEvents=5000, | |
[string]$Path, | |
[string[]]$Id | |
) | |
Get-WinEvent -filterhashtable @{Path=$Path;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment