Added Get-EventLogSz (after pulling upstream)

This commit is contained in:
Gal Szkolnik 2021-05-25 16:11:16 +00:00
parent 2aa29de253
commit fefb5e2572
1 changed files with 85 additions and 0 deletions

View File

@ -0,0 +1,85 @@
param(
[string[]]$LogName=@("Varonis","System"),
$ShowExisting=10,
$MaxMessageLines=2,
[switch]$NoWrap,
[switch]$Wait
)
# $LogName=@("Varonis","System"); $ShowExisting=10
function internalFunction {
$local:logs = [ordered]@{}
foreach( $local:n in $LogName ) {
$logs[$n] = [PSCustomObject]([ordered]@{
LogName=$n
idx=[int]-1
SourceParam=@{LogName=$n}
})
}
$data = @()
foreach( $local:l in $logs.Values ) {
if ($ShowExisting -gt 0) {
$local:SourceParam = $l.SourceParam
$local:latestRows = Get-WinEvent @SourceParam -max $ShowExisting |
Select-Object -Property @{N='Log';E={$l.LogName}},*
$l.idx = $latestRows[0].RecordId | Measure-Object -Maximum | Select-Object -ExpandProperty Maximum
$data += $latestRows
}
else {
$l.idx = (Get-WinEvent @SourceParam -max 1).RecordId
}
}
$data | Sort-Object TimeCreated
Write-Host -ForegroundColor Green "Reading Live EventLog... (To stop press [x], [q], <Enter>, <Space> or <Esc>)"
while ($Wait)
{
Start-Sleep -Milliseconds 100 # Required because of a bug with KeyAvailable
$host.ui.RawUI.FlushInputBuffer(); # Required because of a bug with KeyAvailable
Start-Sleep -Milliseconds 900
$data = @()
foreach( $local:l in $logs.Values ) {
$local:SourceParam = $l.SourceParam
$local:idx = (Get-WinEvent @SourceParam -MaxEvents 1).RecordId
if ($idx -gt $l.idx) {
$data += Get-WinEvent @SourceParam -MaxEvents ($idx - $l.idx) |
Select-Object -Property @{N='Log';E={$l.LogName}},*
}
$l.idx = $idx
}
$data | Sort-Object TimeCreated
Start-Sleep -Milliseconds 100
# <Enter>,<Space>,<Esc>,[q] or [x] keys to terminate; might NOT work in embedded consoles (PowerShell ISE)!
if( $Host.UI.RawUI.KeyAvailable ) {
$local:key = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyUp,IncludeKeyDown")
if( $key.KeyDown ) {
if($key.VirtualKeyCode -in @(32, 13, 27) -or $key.Character -in @('q','x')) {
break
} elseif( $key.Character -in @('-','=') ) {
Write-Host -ForegroundColor Yellow $(([string]($key.Character))*60)
}
}
}
}
}
internalFunction |
Select-Object -Property *,@{
L='MessageShort';E={
$_.Message.Trim() -replace "`nMessage(?: Content)?:\W","`n" -split "`n" |
Where-Object { $_.Trim() -and $_ -notmatch "^(?:TimeStamp):\W?" } |
Out-String -Stream |
Select-Object -First $MaxMessageLines |
Join-String "'`n+-- '"
}
} |
Select-Object -OutVariable global:elOut |
Format-Table -Property Log,RecordId,TimeCreated,LevelDisplayName,ProviderName,MessageShort -Wrap:$(-not $NoWrap)