diff --git a/base.win/Get-EventLogSz.ps1 b/base.win/Get-EventLogSz.ps1 new file mode 100644 index 0000000..623580f --- /dev/null +++ b/base.win/Get-EventLogSz.ps1 @@ -0,0 +1,85 @@ +param( + [string[]]$LogName=@("Varonis","System"), + $ShowExisting=10, + $MaxMessageLines=2, + [switch]$NoWrap, + [switch]$Wait +) +# $LogName=@("Varonis","System"); $ShowExisting=10 + +function internalFunction { + + $local:logs = [ordered]@{} + foreach( $local:n in $LogName ) { + $logs[$n] = [PSCustomObject]([ordered]@{ + LogName=$n + idx=[int]-1 + SourceParam=@{LogName=$n} + }) + } + + $data = @() + foreach( $local:l in $logs.Values ) { + if ($ShowExisting -gt 0) { + $local:SourceParam = $l.SourceParam + $local:latestRows = Get-WinEvent @SourceParam -max $ShowExisting | + Select-Object -Property @{N='Log';E={$l.LogName}},* + + $l.idx = $latestRows[0].RecordId | Measure-Object -Maximum | Select-Object -ExpandProperty Maximum + + $data += $latestRows + } + else { + $l.idx = (Get-WinEvent @SourceParam -max 1).RecordId + } + } + + $data | Sort-Object TimeCreated + + Write-Host -ForegroundColor Green "Reading Live EventLog... (To stop press [x], [q], , or )" + + while ($Wait) + { + Start-Sleep -Milliseconds 100 # Required because of a bug with KeyAvailable + $host.ui.RawUI.FlushInputBuffer(); # Required because of a bug with KeyAvailable + Start-Sleep -Milliseconds 900 + $data = @() + foreach( $local:l in $logs.Values ) { + $local:SourceParam = $l.SourceParam + $local:idx = (Get-WinEvent @SourceParam -MaxEvents 1).RecordId + if ($idx -gt $l.idx) { + $data += Get-WinEvent @SourceParam -MaxEvents ($idx - $l.idx) | + Select-Object -Property @{N='Log';E={$l.LogName}},* + } + $l.idx = $idx + } + + $data | Sort-Object TimeCreated + + Start-Sleep -Milliseconds 100 + # ,,,[q] or [x] keys to terminate; might NOT work in embedded consoles (PowerShell ISE)! + if( $Host.UI.RawUI.KeyAvailable ) { + $local:key = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyUp,IncludeKeyDown") + if( $key.KeyDown ) { + if($key.VirtualKeyCode -in @(32, 13, 27) -or $key.Character -in @('q','x')) { + break + } elseif( $key.Character -in @('-','=') ) { + Write-Host -ForegroundColor Yellow $(([string]($key.Character))*60) + } + } + } + } +} + +internalFunction | + Select-Object -Property *,@{ + L='MessageShort';E={ + $_.Message.Trim() -replace "`nMessage(?: Content)?:\W","`n" -split "`n" | + Where-Object { $_.Trim() -and $_ -notmatch "^(?:TimeStamp):\W?" } | + Out-String -Stream | + Select-Object -First $MaxMessageLines | + Join-String "'`n+-- '" + } + } | + Select-Object -OutVariable global:elOut | + Format-Table -Property Log,RecordId,TimeCreated,LevelDisplayName,ProviderName,MessageShort -Wrap:$(-not $NoWrap)