Created
December 29, 2020 14:43
-
-
Save medmondson44/294e90981bc1454d316e27e03b487e04 to your computer and use it in GitHub Desktop.
This is a fork of the Endgame script scrape-events.ps1. I gave it more functionality to take any event log and to be able to query remotely or take a path to the event log. Original Endgame script cant be found here: https://github.com/endgameinc/eqllib/blob/master/utils/scrape-events.ps1.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-EventProps { | |
| [cmdletbinding()] | |
| Param ( | |
| [parameter(ValueFromPipeline)] | |
| $event | |
| ) | |
| Process { | |
| $eventXml = [xml]$event.ToXML() | |
| $eventKeys = $eventXml.Event.EventData.Data | |
| $Properties = @{} | |
| $Properties.EventId = $event.Id | |
| For ($i=0; $i -lt $eventKeys.Count; $i++) { | |
| $Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text' | |
| } | |
| [pscustomobject]$Properties | |
| } | |
| } | |
| function reverse { | |
| $arr = @($input) | |
| [array]::reverse($arr) | |
| $arr | |
| } | |
| function Get-LatestLogs { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogs -computername localhost -Logname security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True, | |
| HelpMessage="Enter ComputerName")] | |
| [int32]$MaxEvents=5000, | |
| [string[]]$Computername, | |
| [string]$Logname | |
| ) | |
| foreach ($comp in $Computername) | |
| { | |
| Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } | |
| } | |
| function Get-LatestLogsFromPath { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True)] | |
| [int32]$MaxEvents=5000, | |
| [string]$Path | |
| ) | |
| Get-WinEvent -filterhashtable @{Path=$Path} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } | |
| function Get-LatestLogsId { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogsId -computername localhost -Logname security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True, | |
| HelpMessage="Enter ComputerName")] | |
| [int32]$MaxEvents=5000, | |
| [string[]]$Computername, | |
| [string]$Logname, | |
| [string[]]$Id | |
| ) | |
| foreach ($comp in $Computername) | |
| { | |
| Get-WinEvent -ComputerName $Comp -filterhashtable @{logname=$logname;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } | |
| } | |
| function Get-LatestLogsFromPathId { | |
| <# | |
| .EXAMPLE | |
| Get-LatestLogsFromPath -Path c:\windows\system32\winevt\logs\security -id 4624 -MaxEvents 5 | ConvertTo-Json | Out-File -Encoding ASCII -FilePath my-security-data.json | |
| #> | |
| [cmdletbinding()] | |
| param ( | |
| [Parameter(Mandatory=$false, | |
| ValueFromPipeline=$True] | |
| [int32]$MaxEvents=5000, | |
| [string]$Path, | |
| [string[]]$Id | |
| ) | |
| Get-WinEvent -filterhashtable @{Path=$Path;id=$id} -MaxEvents $MaxEvents | Get-EventProps | reverse | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment