Created
June 25, 2018 23:07
-
-
Save raandree/65cdcec2867515b6e19d5b529254846b to your computer and use it in GitHub Desktop.
EventLogLegacy.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Gets event log entries from remote computers using RPC/DCOM (same as connecting to remote computer from event log viewer MMC) | |
| .DESCRIPTION | |
| Gets event log entries from remote computers using RPC/DCOM (same as connecting to remote computer from event log viewer MMC) | |
| .NOTES | |
| -------------------------------------------------------------------------------- | |
| Script author: Per Pedersen - per.pedersen@microsoft.com | |
| Created on: 2018-06-21 | |
| History: 1.0.0 2018-06-21 - Initial version | |
| -------------------------------------------------------------------------------- | |
| This script is provided "AS IS" with no warranties, confers no rights and | |
| is not supported by the authors or Microsoft Corporation. | |
| Use of this script sample is subject to the terms specified at | |
| https://www.microsoft.com/en-us/legal/Copyright/Default.aspx | |
| .EXAMPLE | |
| .\Get-RemoteEvent -ComputerName $computers | |
| Gets all events from computers in $computers variable from System event log (default log) from last 1 hour (default) | |
| .EXAMPLE | |
| .\Get-RemoteEvent -ComputerName $computers -Hours 100 | |
| Gets all events from computers in $computers variable from System event log (default log) from last 100 hours | |
| .EXAMPLE | |
| .\Get-RemoteEvent -ComputerName $computers -Hours 100 -EventID 1000 | |
| Gets all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 | |
| .EXAMPLE | |
| .\Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 100 -UserName 'Contoso\Administrator' -Password 'Somepass1' | |
| Gets all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 using clear text username password (will not be used over the network but merely used for creating credentials used for cmdlet) | |
| .EXAMPLE | |
| $cred = New-Object pscredential('Contoso\Administrator', ('Somepass1' | ConvertTo-SecureString -AsPlainText -Force));.\Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 10 -Credential $cred | |
| Gets all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 using a pre-generated credentials object | |
| #> | |
| [CmdletBinding(DefaultParameterSetName = 'UsernamePassword')] | |
| param | |
| ( | |
| [ValidateLength(1,15)] | |
| [ValidateCount(1,65535)] | |
| [string[]]$ComputerName, | |
| [Parameter(ParameterSetName='UsernamePassword')] | |
| [ValidateLength(1,255)] | |
| [string]$UserName, | |
| [Parameter(ParameterSetName='UsernamePassword')] | |
| [ValidateLength(1,255)] | |
| [string]$Password, | |
| [Parameter(ParameterSetName='Credential')] | |
| [pscredential]$Credential, | |
| [ValidateLength(1,255)] | |
| [string]$LogName = 'System', | |
| [ValidateSet('', 'Information', 'Warning', 'Error')] | |
| [string]$Type, | |
| [ValidateRange(0,65535)] | |
| [int]$EventID, | |
| [ValidateRange(0,720)] | |
| [int]$Hours = 1 | |
| ) | |
| function Get-RemoteEvent | |
| { | |
| [CmdletBinding(DefaultParameterSetName = 'UsernamePassword')] | |
| param | |
| ( | |
| [ValidateLength(1,15)] | |
| [ValidateCount(1,65535)] | |
| [string[]]$ComputerName, | |
| [Parameter(ParameterSetName='UsernamePassword')] | |
| [ValidateLength(1,255)] | |
| [string]$UserName, | |
| [Parameter(ParameterSetName='UsernamePassword')] | |
| [ValidateLength(1,255)] | |
| [string]$Password, | |
| [Parameter(ParameterSetName='Credential')] | |
| [pscredential]$Credential, | |
| [ValidateLength(1,255)] | |
| [string]$LogName = 'System', | |
| [ValidateSet('', 'Information', 'Warning', 'Error')] | |
| [string]$Type, | |
| [ValidateRange(0,65535)] | |
| [int]$EventID, | |
| [ValidateRange(0,720)] | |
| [int]$Hours = 1 | |
| ) | |
| Write-Verbose -Message "ParSet='$($PSCmdlet.ParameterSetName)'" | |
| $startTime = (Get-Date).AddHours(-$Hours) | |
| if ($Type) | |
| { | |
| $events = Get-EventLog -ComputerName $ComputerName -LogName $LogName -After $startTime -EntryType $Type | |
| } | |
| else | |
| { | |
| $events = Get-EventLog -ComputerName $ComputerName -LogName $LogName -After $startTime | |
| } | |
| if ($EventID) | |
| { | |
| $events = $events | Where-Object {$_.EventID -eq $EventID} | |
| } | |
| $events | |
| } | |
| if ($PSBoundParameters.Count) | |
| { | |
| $PSBoundParameters.Count | |
| Get-RemoteEvent @PSBoundParameters | |
| } | |
| break | |
| #Get all events from computers in $computers variable from System event log (default log) from last 1 hour (default) | |
| Get-RemoteEvent -ComputerName $computers | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize | |
| #Get all events from computers in $computers variable from System event log (default log) from last 100 hours | |
| Get-RemoteEvent -ComputerName $computers -Hours 100 | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize | |
| #Get all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 | |
| Get-RemoteEvent -ComputerName $computers -Hours 100 -EventID 1000 | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize | |
| #Get all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1 using clear text username password (will not be used over the network but merely used for creating credentials used for cmdlet) | |
| Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 100 -UserName 'Contoso\Administrator' -Password 'Somepass1' | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize | |
| #Get all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 using a pre-generated credentials object | |
| $cred = New-Object pscredential('Contoso\Administrator', ('Somepass1' | ConvertTo-SecureString -AsPlainText -Force)) | |
| Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 10 -Credential $cred | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment