davidlu1001 · March 27, 2024 01:44
diff --git a/Get-EventLogs.ps1 b/Get-EventLogs.ps1
 <#
 .SYNOPSIS
 Retrieves Windows event logs from local or remote servers based on specified filters.

 .DESCRIPTION
 This script queries Windows event logs from specified servers, filtering by log name, provider name, event level, and text match within events. Results can be displayed in the console or exported to a CSV file.

 .PARAMETER Servers
 Specifies an array of server names from which to query the event logs.

 .PARAMETER LogName
 Specifies the name of the log to query (e.g., Application, System).

 .PARAMETER ProviderName
 Specifies the provider name to filter the logs. Defaults to all providers.

 .PARAMETER Level
 Specifies the event level to filter on (Critical, Error, Warning, Information, Verbose, All). Defaults to All.

 .PARAMETER DaysAgo
 Specifies how many days back to retrieve the events.

 .PARAMETER Match
 Specifies text to search for within the event message. Defaults to any text (*).

 .PARAMETER OutputPath
 Specifies the path to export the results to a CSV file. If not provided, output will be displayed in the console.

 .EXAMPLE
 .\Get-EventLogs.ps1 -Servers "Server1", "Server2" -LogName "Application" -Level "Error" -DaysAgo 7 -Match "Error" -OutputPath "C:\events.csv"

 This example queries the Application log for Error events containing "Error" in the message from the last 7 days on Server1 and Server2, exporting the results to C:\events.csv.

 .NOTES
 Author: Your Name
 #>

 param (
    [Parameter(Mandatory=$true)]
    [string[]]$Servers,
    [Parameter(Mandatory=$true)]
    [string]$LogName,
    [string]$ProviderName = "*",
    [ValidateSet("Critical", "Error", "Warning", "Information", "Verbose", "All")]
    [string]$Level = "All",
    [Parameter(Mandatory=$true)]
    [int]$DaysAgo,
    [string]$Match = "*",
    [string]$OutputPath
 )

 # Initialize logging
 $loggingPath = "C:\path\to\logging\log.txt" # Specify your logging file path
 function Log-Message {
    param([string]$Message)
    "$((Get-Date).ToString()): $Message" | Out-File $loggingPath -Append
 }

 # Convert Level to numeric value if specified
 $levelMap = @{
    "Critical" = 1; "Error" = 2; "Warning" = 3;
    "Information" = 4; "Verbose" = 5; "All" = "*"
 }

 # Function to query event logs
 function Get-EventLogsWithHashtable {
    param (
        [string]$Server,
        [string]$LogName,
        [string]$ProviderName,
        [string]$Level,
        [int]$DaysAgo,
        [string]$Match
    )
    
    $filterHashtable = @{
        LogName = $LogName; StartTime = (Get-Date).AddDays(-$DaysAgo)
    }
    if ($ProviderName -ne "*") { $filterHashtable.ProviderName = $ProviderName }
    if ($Level -ne "All") { $filterHashtable.Level = $levelMap[$Level] }

    try {
        $events = Get-WinEvent -ComputerName $Server -FilterHashtable $filterHashtable -ErrorAction Stop
        if ($Match -ne "*") {
            $events = $events | Where-Object { $_.Message -match $Match }
        }
        return $events
    } catch {
        Log-Message "Failed to retrieve events from $Server: $_"
    }
 }

 # Process each server
 foreach ($server in $Servers) {
    Log-Message "Querying events from $server"
    $events = Get-EventLogsWithHashtable -Server $server -LogName $LogName -ProviderName $ProviderName -Level $Level -DaysAgo $DaysAgo -Match $Match

    if ($events -and $OutputPath) {
        $events | Select-Object TimeCreated, Id, LevelDisplayName, Message | Export-Csv -Path $OutputPath -NoTypeInformation -Append
        Log-Message "Events from $server exported to $OutputPath"
    } elseif ($events) {
        $events | Format-Table -Property TimeCreated, Id, LevelDisplayName, Message -AutoSize
    } else {
        Log-Message "No events found on $server matching criteria."
    }
 }

 if ($OutputPath) {
    Write-Host "Events exported to $OutputPath"
 } else {
    Write-Host "Event query completed."
 }
	<#
	.SYNOPSIS
	Retrieves Windows event logs from local or remote servers based on specified filters.

	.DESCRIPTION
	This script queries Windows event logs from specified servers, filtering by log name, provider name, event level, and text match within events. Results can be displayed in the console or exported to a CSV file.

	.PARAMETER Servers
	Specifies an array of server names from which to query the event logs.

	.PARAMETER LogName
	Specifies the name of the log to query (e.g., Application, System).

	.PARAMETER ProviderName
	Specifies the provider name to filter the logs. Defaults to all providers.

	.PARAMETER Level
	Specifies the event level to filter on (Critical, Error, Warning, Information, Verbose, All). Defaults to All.

	.PARAMETER DaysAgo
	Specifies how many days back to retrieve the events.

	.PARAMETER Match
	Specifies text to search for within the event message. Defaults to any text (*).

	.PARAMETER OutputPath
	Specifies the path to export the results to a CSV file. If not provided, output will be displayed in the console.

	.EXAMPLE
	.\Get-EventLogs.ps1 -Servers "Server1", "Server2" -LogName "Application" -Level "Error" -DaysAgo 7 -Match "Error" -OutputPath "C:\events.csv"

	This example queries the Application log for Error events containing "Error" in the message from the last 7 days on Server1 and Server2, exporting the results to C:\events.csv.

	.NOTES
	Author: Your Name
	#>

	param (
	[Parameter(Mandatory=$true)]
	[string[]]$Servers,
	[Parameter(Mandatory=$true)]
	[string]$LogName,
	[string]$ProviderName = "*",
	[ValidateSet("Critical", "Error", "Warning", "Information", "Verbose", "All")]
	[string]$Level = "All",
	[Parameter(Mandatory=$true)]
	[int]$DaysAgo,
	[string]$Match = "*",
	[string]$OutputPath
	)

	# Initialize logging
	$loggingPath = "C:\path\to\logging\log.txt" # Specify your logging file path
	function Log-Message {
	param([string]$Message)
	"$((Get-Date).ToString()): $Message" \| Out-File $loggingPath -Append
	}

	# Convert Level to numeric value if specified
	$levelMap = @{
	"Critical" = 1; "Error" = 2; "Warning" = 3;
	"Information" = 4; "Verbose" = 5; "All" = "*"
	}

	# Function to query event logs
	function Get-EventLogsWithHashtable {
	param (
	[string]$Server,
	[string]$LogName,
	[string]$ProviderName,
	[string]$Level,
	[int]$DaysAgo,
	[string]$Match
	)

	$filterHashtable = @{
	LogName = $LogName; StartTime = (Get-Date).AddDays(-$DaysAgo)
	}
	if ($ProviderName -ne "*") { $filterHashtable.ProviderName = $ProviderName }
	if ($Level -ne "All") { $filterHashtable.Level = $levelMap[$Level] }

	try {
	$events = Get-WinEvent -ComputerName $Server -FilterHashtable $filterHashtable -ErrorAction Stop
	if ($Match -ne "*") {
	$events = $events \| Where-Object { $_.Message -match $Match }
	}
	return $events
	} catch {
	Log-Message "Failed to retrieve events from $Server: $_"
	}
	}

	# Process each server
	foreach ($server in $Servers) {
	Log-Message "Querying events from $server"
	$events = Get-EventLogsWithHashtable -Server $server -LogName $LogName -ProviderName $ProviderName -Level $Level -DaysAgo $DaysAgo -Match $Match

	if ($events -and $OutputPath) {
	$events \| Select-Object TimeCreated, Id, LevelDisplayName, Message \| Export-Csv -Path $OutputPath -NoTypeInformation -Append
	Log-Message "Events from $server exported to $OutputPath"
	} elseif ($events) {
	$events \| Format-Table -Property TimeCreated, Id, LevelDisplayName, Message -AutoSize
	} else {
	Log-Message "No events found on $server matching criteria."
	}
	}

	if ($OutputPath) {
	Write-Host "Events exported to $OutputPath"
	} else {
	Write-Host "Event query completed."
	}
No results found