Get-WindowsEventLogMessage.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
<#PSScriptInfo
 
.VERSION 2.0.1
 
.GUID fb06bec9-3e1b-472d-948b-3517f71d876c
 
.AUTHOR saw-friendship
 
.COMPANYNAME
 
.COPYRIGHT
 
.TAGS
 saw-friendship Windows EventLog Message XML
 
.LICENSEURI
 
.PROJECTURI
 https://sawfriendship.wordpress.com
 
.ICONURI
 
.EXTERNALMODULEDEPENDENCIES
 
.REQUIREDSCRIPTS
 
.EXTERNALSCRIPTDEPENDENCIES
 
.RELEASENOTES
 
#>


<#
 
.DESCRIPTION
 Expand WinEventLog Message and trying include generated objects to EventDataObject Property
 
.EXAMPLE
 Get-WindowsEventLogMessage -Id 4624 -LogName Security -MaxEvents 10
  
.EXAMPLE
 Get-WindowsEventLogMessage Security -StartTime (Get-Date).AddHours(-1) -Property Id,TimeCreated,TargetUserName
 
#>
 
[CmdletBinding()]
param(
    [string]$LogName,
    [string]$ProviderName,
    [int[]]$Id,
    [string]$Path,
    [int]$MaxEvents,
    [string]$ComputerName,
    [switch]$Force,
    [PSCredential]$Credential,
    [switch]$Oldest,
    [string]$PropertyPrefix = '',
    [alias('After')][datetime]$StartTime,
    [alias('Before')][datetime]$EndTime,
    [string[]]$Property = @('*')
)

[string[]]$FilterParamArray = @('LogName','ProviderName','Id','StartTime','EndTime')
[Hashtable]$FilterHashtable = @{}; $PSBoundParameters.Keys.Where({$FilterParamArray -contains $_}).ForEach({$FilterHashtable[$_] = $PSBoundParameters[$_]})

[string[]]$WinEventParamArray = @('MaxEvents','Path','ComputerName','Credential','Force','Oldest')
[Hashtable]$WinEventParam = @{}; $PSBoundParameters.Keys.Where({$WinEventParamArray -contains $_}).ForEach({$WinEventParam[$_] = $PSBoundParameters[$_]})

if ($FilterHashtable.Count -ge 1) {$WinEventParam['FilterHashtable'] = $FilterHashtable}

[array]$WinEventSelect = $Property.ForEach({$_})
$WinEventSelect += @{'Name' = 'EventData'; 'Expression' = {([xml]($_.ToXml())).Event.EventData.Data}}
$WinEventSelect += @{'Name' = 'EventDataObject'; 'Expression' = {
    $Data = ([xml]($_.ToXml())).Event.EventData.Data;
    $Hash=@{};
    if($Data.Name){
        [string[]]$NewNames=@();
        $Data.ForEach({
            $NewNames+=$PropertyPrefix+$_.Name;
            $Hash[$PropertyPrefix+$_.Name]=$_.'#text'
        });
        New-Object -TypeName PsObject -Property $Hash | Select-Object -Property $NewNames
    }
}}

Get-WinEvent @WinEventParam | Select-Object -Property $WinEventSelect