Get-WindowsEventLogMessage.ps1
|
<#PSScriptInfo
.VERSION 2.0.0 .GUID fb06bec9-3e1b-472d-948b-3517f71d876c .AUTHOR saw-friendship .COMPANYNAME .COPYRIGHT .TAGS saw-friendship Windows EventLog Message XML .LICENSEURI .PROJECTURI https://sawfriendship.wordpress.com .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .DESCRIPTION Expand WinEventLog Message and trying include generated objects to EventDataObject Property .EXAMPLE Get-WindowsEventLogMessage -Id 4624 -LogName Security -MaxEvents 10 .EXAMPLE Get-WindowsEventLogMessage Security -StartTime (Get-Date).AddHours(-1) -Property Id,TimeCreated,TargetUserName #> [CmdletBinding()] param( [string]$LogName, [string]$ProviderName, [int[]]$Id, [string]$Path, [int]$MaxEvents, [string]$ComputerName, [switch]$Force, [PSCredential]$Credential, [switch]$Oldest, [string]$PropertyPrefix = '', [alias('After')][datetime]$StartTime, [alias('Before')][datetime]$EndTime, [string[]]$Property = @('*') ) [string[]]$FilterParamArray = @('LogName','ProviderName','Id','StartTime','EndTime') [Hashtable]$FilterHashtable = @{}; $PSBoundParameters.Keys.Where({$FilterParamArray -contains $_}).ForEach({$FilterHashtable[$_] = $PSBoundParameters[$_]}) [string[]]$WinEventParamArray = @('MaxEvents','Path','ComputerName','Credential','Force','Oldest') [Hashtable]$WinEventParam = @{}; $PSBoundParameters.Keys.Where({$WinEventParamArray -contains $_}).ForEach({$WinEventParam[$_] = $PSBoundParameters[$_]}) if ($FilterHashtable.Count -ge 1) {$WinEventParam['FilterHashtable'] = $FilterHashtable} [array]$WinEventSelect = $Property.ForEach({$_}) $WinEventSelect += @{'Name' = 'EventData'; 'Expression' = {([xml]($_.ToXml())).Event.EventData.Data}} $WinEventSelect += @{'Name' = 'EventDataObject'; 'Expression' = {$Data = ([xml]($_.ToXml())).Event.EventData.Data; $Hash=@{}; if($Data.Name){[string[]]$NewNames=@(); $Data.ForEach({$NewNames+=$PropertyPrefix+$_.Name; $Hash[$PropertyPrefix+$_.Name]=$_.'#text'}); New-Object -TypeName PsObject -Property $Hash | Select-Object -Property $NewNames}}} Get-WinEvent @WinEventParam | Select-Object -Property $WinEventSelect |