forked from RamblingCookieMonster/PowerShell
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
05a8d2b
commit 8013c12
Showing
1 changed file
with
84 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| Function Get-WinEventData { | ||
| <# | ||
| .SYNOPSIS | ||
| Get custom event data from an event log record | ||
| .DESCRIPTION | ||
| Get custom event data from an event log record | ||
| Takes in Event Log entries from Get-WinEvent, converts each to XML, extracts all properties from Event.EventData.Data | ||
| Notes: | ||
| To avoid overwriting existing properties or skipping event data properties, | ||
| we append a prefix (default: e_) to these extracted properties. | ||
| Some events store custom data in other XML nodes. | ||
| For example, AppLocker uses Event.UserData.RuleAndFileData | ||
| .PARAMETER Event | ||
| One or more event. | ||
| Accepts data from Get-WinEvent or any System.Diagnostics.Eventing.Reader.EventLogRecord object | ||
| .PARAMETER Prefix | ||
| Append this to EventData keys to ensure uniqueness. Defaults to e_ | ||
| .INPUTS | ||
| System.Diagnostics.Eventing.Reader.EventLogRecord | ||
| .OUTPUTS | ||
| System.Diagnostics.Eventing.Reader.EventLogRecord | ||
| .EXAMPLE | ||
| Get-WinEvent -LogName system -max 1 | Get-WinEventData | Select -Property MachineName, TimeCreated, e_* | ||
| # Simple example showing the computer an event was generated on, the time, and any custom event data | ||
| .EXAMPLE | ||
| Get-WinEvent -ComputerName DomainController1 -FilterHashtable @{Logname='security';id=4740} -MaxEvents 10 | Get-WinEventData | Select TimeCreated, e_TargetUserName, e_TargetDomainName | ||
| # Find lockout events on a domain controller | ||
| # ideally you have log forwarding, audit collection services, or a product from a t-shirt company for this... | ||
| .NOTES | ||
| Concept and most code borrowed from Ashley McGlone | ||
| http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx | ||
| .FUNCTIONALITY | ||
| Computers | ||
| #> | ||
| [cmdletbinding()] | ||
| param( | ||
| [Parameter(Mandatory=$true, | ||
| ValueFromPipeline=$true, | ||
| ValueFromPipelineByPropertyName=$true, | ||
| ValueFromRemainingArguments=$false, | ||
| Position=0 )] | ||
| [System.Diagnostics.Eventing.Reader.EventLogRecord[]] | ||
| $Event, | ||
|
|
||
| [string]$Prefix = 'e_' | ||
| ) | ||
|
|
||
| Process | ||
| { | ||
| #Loop through provided events | ||
| foreach($entry in $event) | ||
| { | ||
| #Get the XML... | ||
| $XML = [xml]$entry.ToXml() | ||
|
|
||
| #Some events use other nodes, like 'UserData' on Applocker events... | ||
| $XMLData = $null | ||
| if( $XMLData = @( $XML.Event.EventData.Data ) ) | ||
| { | ||
| For( $i=0; $i -lt $XMLData.count; $i++ ) | ||
| { | ||
| #We don't want to overwrite properties that might be on the original object, or in another event node. | ||
| $Entry = Add-Member -InputObject $entry -MemberType NoteProperty -Name "$Prefix$($XMLData[$i].name)" -Value $XMLData[$i].'#text' -Force -Passthru | ||
| } | ||
| } | ||
| $Entry | ||
| } | ||
| } | ||
| } |