Public/Invoke-EventLogs.ps1
|
function Get-AdministrativeEvent { [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$ComputerName, [Parameter(Mandatory)] [int]$HoursBack ) Begin { Write-Verbose "$(Get-Date) - Started." $AllResults = @() } Process { foreach ($Computer in $ComputerName) { $Result = $Null write-verbose "$(Get-Date) - Working on $Computer - Eventlog" $starttime = (Get-Date).AddHours(-$HoursBack) try { write-verbose "$(Get-Date) - Trying with Get-WinEvent" $result = Get-WinEvent -ErrorAction stop -Credential $credential -ComputerName $Computer -filterh @{LogName = (Get-WinEvent -Computername $Computer -ListLog * | Where-Object { ($_.logtype -eq 'administrative') -and ($_.logisolation -eq 'system') } | Where-Object recordcount).logname; StartTime = $starttime; Level = 1, 2 } | Select-Object machinename, timecreated, providername, logname, id, leveldisplayname, message } catch [System.Diagnostics.Eventing.Reader.EventLogException] { switch -regex ($_.Exception.Message) { "RPC" { Write-Warning "$(Get-Date) - RPC error while communicating with $Computer" $Result = 'RPC error' } "Endpoint" { write-verbose "$(Get-Date) - Trying with Get-EventLog for systems older than Windows 2008" try { $sysevents = Get-EventLog -ComputerName $Computer -LogName system -Newest 1000 -EntryType Error -ErrorAction Stop | Where-Object TimeGenerated -gt $starttime | Select-Object MachineName, @{Name = 'TimeCreated'; Expression = { $_.TimeGenerated } }, @{Name = 'ProviderName'; Expression = { $_.Source } }, LogName, @{Name = 'Id'; Expression = { $_.EventId } }, @{Name = 'LevelDisplayName'; Expression = { $_.EntryType } }, Message if ($sysevents) { $result = $sysevents } else { Write-Warning "$(Get-Date) - No events found on $Computer" $result = 'none' } } catch { $Result = 'error' } } Default { Write-Warning "$(Get-Date) - Error retrieving events from $Computer" } } } catch [Exception] { Write-Warning "$(Get-Date) - No events found on $Computer" $result = 'none' } if (($result -ne 'error') -and ($result -ne 'RPC error') -and ($result -ne 'none')) { Write-Verbose "$(Get-Date) - Consolidating events for $Computer" $lastuniqueevents = $null $lastuniqueevents = @() $ids = ($result | Select-Object id -unique).id foreach ($id in $ids) { $machineevents = $result | Where-Object id -eq $id $lastuniqueevents += $machineevents | Sort-Object timecreated -Descending | Select-Object -first 1 $lastuniqueevents | Add-Member -MemberType NoteProperty -Name "NumEvents" -Value ($machineevents | Measure-Object).Count -Force } $AllResults += $lastuniqueevents | Select-Object MachineName, NumEvents, TimeCreated, ProviderName, LogName, Id, LevelDisplayName, Message } } } End { Write-Verbose "$(Get-Date) - Finished." $AllResults } } function Invoke-EventLogs { <# .SYNOPSIS Gets event logs from a computer. .PARAMETER ComputerName Target computer .EXAMPLE !logs stnjn109.sunssc.local #> [PoshBot.BotCommand( CommandName = 'events', Aliases = ('event', 'logs', 'log', 'eventlog') )] [cmdletbinding()] param( [parameter(Mandatory)] [string]$ComputerName ) $output = Get-AdministrativeEvent -ComputerName $ComputerName -HoursBack 24 New-PoshBotCardResponse -Text ($output | format-list -property * | out-string) -Title "Administrative events from $computername in the last 24 hours" } |