EventLog/Export-WinEvent.ps1
|
function Export-WinEvent { <# .SYNOPSIS Export events that match a given query in to a Evtx file. .DESCRIPTION Export events that match a given query in to a Evtx file. Supports as source a log by Log Name or from another Evtx file. Query has to be in XPath format. .EXAMPLE PS C:\> [string]$query = $($Output = Get-SysmonProcessAccess -TargetImage "C:\WINDOWS\system32\lsass.exe" -verbose -MaxEvents 1) 4>&1 PS C:\> Export-WinEvent -SourcePath "Microsoft-Windows-Sysmon/Operational" -Path C:\LSASSProcessAccess.evtx -Query $query Capture the XPath query from one of the Sysmon PSGumshoe functions and use that to export the resulting events into a file. Technique also works with Get-WinEvent. .INPUTS System.String .NOTES Xpath Query EventLog use and limitations https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events #> [CmdletBinding(DefaultParameterSetName = "Local")] param ( # Source to export from. [Parameter(Mandatory=$true)] [String] $SourcePath, # Type of source. (File or EventLog) [Parameter(Mandatory=$false)] [ValidateSet("FilePath","LogName")] [String] $SourceType ="LogName", # Specifies a path to one or more locations. [Parameter(Mandatory = $false, Position = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [Alias("PSPath")] [ValidateNotNullOrEmpty()] [string[]] $Path, # The query used to select the events to export. Only the events returned from the query will be exported. Queries are represented in MS Eventlog XPath. [Parameter(Mandatory = $true)] [String] $Query, # Clear a given EventLog from the specified computer. Type the NetBIOS name, an Internet Protocol (IP) address, or the fully qualified domain name of the computer. # To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access. [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Remote')] [string] $ComputerName, # Specifies a user account that has permission to perform this action. # # Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will # be prompted for a password. If you type only the parameter name, you will be prompted for both a user name and a password. [Parameter(Mandatory = $false, ParameterSetName = 'Remote')] [Management.Automation.PSCredential] [Management.Automation.CredentialAttribute()] $Credential ) begin { } process { switch ($PSCmdlet.ParameterSetName) { "Local" { $EvtSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::New() } "Remote" { if ($PSBoundParameters.Keys -contains "Credential") { $EvtSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::New($ComputerName, $Credential.Username, $Credential.GetNetworkCredential().password ) } else { $EvtSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::New($ComputerName) } } Default {} } $EvtSession.ExportLog($SourcePath, [System.Diagnostics.Eventing.Reader.PathType]::$SourceType, $Query, $Path) } end { } } |