raandree · June 25, 2018 23:07
diff --git a/EventLogLegacy.ps1 b/EventLogLegacy.ps1
 <#
    .SYNOPSIS
    Gets event log entries from remote computers using RPC/DCOM (same as connecting to remote computer from event log viewer MMC)

    .DESCRIPTION
    Gets event log entries from remote computers using RPC/DCOM (same as connecting to remote computer from event log viewer MMC)

    .NOTES
    --------------------------------------------------------------------------------
     Script author:    Per Pedersen - [email protected]

     Created on:       2018-06-21

     History:          1.0.0   2018-06-21 - Initial version

    --------------------------------------------------------------------------------
    
    This script is provided "AS IS" with no warranties, confers no rights and 
    is not supported by the authors or Microsoft Corporation. 
    Use of this script sample is subject to the terms specified at 
    https://www.microsoft.com/en-us/legal/Copyright/Default.aspx

    .EXAMPLE
    .\Get-RemoteEvent -ComputerName $computers
    Gets all events from computers in $computers variable from System event log (default log) from last 1 hour (default)

    .EXAMPLE
    .\Get-RemoteEvent -ComputerName $computers -Hours 100
    Gets all events from computers in $computers variable from System event log (default log) from last 100 hours

    .EXAMPLE
    .\Get-RemoteEvent -ComputerName $computers -Hours 100 -EventID 1000
    Gets all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000

    .EXAMPLE
    .\Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 100 -UserName 'Contoso\Administrator' -Password 'Somepass1'
    Gets all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 using clear text username password (will not be used over the network but merely used for creating credentials used for cmdlet)

    .EXAMPLE
    $cred = New-Object pscredential('Contoso\Administrator', ('Somepass1' | ConvertTo-SecureString -AsPlainText -Force));.\Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 10 -Credential $cred
    Gets all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 using a pre-generated credentials object
 #>
 [CmdletBinding(DefaultParameterSetName = 'UsernamePassword')]
 param
 (
    [ValidateLength(1,15)]
    [ValidateCount(1,65535)]
    [string[]]$ComputerName,
        
    [Parameter(ParameterSetName='UsernamePassword')]
    [ValidateLength(1,255)]
    [string]$UserName,
        
    [Parameter(ParameterSetName='UsernamePassword')]
    [ValidateLength(1,255)]
    [string]$Password,

    [Parameter(ParameterSetName='Credential')]
    [pscredential]$Credential,

    [ValidateLength(1,255)]
    [string]$LogName = 'System',

    [ValidateSet('', 'Information', 'Warning', 'Error')]
    [string]$Type,

    [ValidateRange(0,65535)]
    [int]$EventID,

    [ValidateRange(0,720)]
    [int]$Hours = 1
 )

 function Get-RemoteEvent
 {
    [CmdletBinding(DefaultParameterSetName = 'UsernamePassword')]
    param
    (
        [ValidateLength(1,15)]
        [ValidateCount(1,65535)]
        [string[]]$ComputerName,
        
        [Parameter(ParameterSetName='UsernamePassword')]
        [ValidateLength(1,255)]
        [string]$UserName,
        
        [Parameter(ParameterSetName='UsernamePassword')]
        [ValidateLength(1,255)]
        [string]$Password,

        [Parameter(ParameterSetName='Credential')]
        [pscredential]$Credential,

        [ValidateLength(1,255)]
        [string]$LogName = 'System',

        [ValidateSet('', 'Information', 'Warning', 'Error')]
        [string]$Type,

        [ValidateRange(0,65535)]
        [int]$EventID,

        [ValidateRange(0,720)]
        [int]$Hours = 1
    )
    
    Write-Verbose -Message "ParSet='$($PSCmdlet.ParameterSetName)'"
    
    
    $startTime = (Get-Date).AddHours(-$Hours)
    
    if ($Type)
    {
        $events = Get-EventLog -ComputerName $ComputerName -LogName $LogName -After $startTime -EntryType $Type 
    }
    else
    {
        $events = Get-EventLog -ComputerName $ComputerName -LogName $LogName -After $startTime
    }
        
    if ($EventID)
    {
        $events = $events | Where-Object {$_.EventID -eq $EventID}
    }
        
    $events
 }

 if ($PSBoundParameters.Count)
 {
    $PSBoundParameters.Count
    Get-RemoteEvent @PSBoundParameters
 }

 break





 #Get all events from computers in $computers variable from System event log (default log) from last 1 hour (default)
 Get-RemoteEvent -ComputerName $computers | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize



 #Get all events from computers in $computers variable from System event log (default log) from last 100 hours
 Get-RemoteEvent -ComputerName $computers -Hours 100 | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize



 #Get all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000
 Get-RemoteEvent -ComputerName $computers -Hours 100 -EventID 1000 | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize



 #Get all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1 using clear text username password (will not be used over the network but merely used for creating credentials used for cmdlet)
 Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 100 -UserName 'Contoso\Administrator' -Password 'Somepass1' | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize



 #Get all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 using a pre-generated credentials object
 $cred = New-Object pscredential('Contoso\Administrator', ('Somepass1' | ConvertTo-SecureString -AsPlainText -Force))
 Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 10 -Credential $cred | Sort-Object -Property TimeGenerated, MachineName | Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize
	<#
	.SYNOPSIS
	Gets event log entries from remote computers using RPC/DCOM (same as connecting to remote computer from event log viewer MMC)

	.DESCRIPTION
	Gets event log entries from remote computers using RPC/DCOM (same as connecting to remote computer from event log viewer MMC)

	.NOTES
	--------------------------------------------------------------------------------
	Script author: Per Pedersen - [email protected]

	Created on: 2018-06-21

	History: 1.0.0 2018-06-21 - Initial version

	--------------------------------------------------------------------------------

	This script is provided "AS IS" with no warranties, confers no rights and
	is not supported by the authors or Microsoft Corporation.
	Use of this script sample is subject to the terms specified at
	https://www.microsoft.com/en-us/legal/Copyright/Default.aspx

	.EXAMPLE
	.\Get-RemoteEvent -ComputerName $computers
	Gets all events from computers in $computers variable from System event log (default log) from last 1 hour (default)

	.EXAMPLE
	.\Get-RemoteEvent -ComputerName $computers -Hours 100
	Gets all events from computers in $computers variable from System event log (default log) from last 100 hours

	.EXAMPLE
	.\Get-RemoteEvent -ComputerName $computers -Hours 100 -EventID 1000
	Gets all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000

	.EXAMPLE
	.\Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 100 -UserName 'Contoso\Administrator' -Password 'Somepass1'
	Gets all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 using clear text username password (will not be used over the network but merely used for creating credentials used for cmdlet)

	.EXAMPLE
	$cred = New-Object pscredential('Contoso\Administrator', ('Somepass1' \| ConvertTo-SecureString -AsPlainText -Force));.\Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 10 -Credential $cred
	Gets all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 using a pre-generated credentials object
	#>
	[CmdletBinding(DefaultParameterSetName = 'UsernamePassword')]
	param
	(
	[ValidateLength(1,15)]
	[ValidateCount(1,65535)]
	[string[]]$ComputerName,

	[Parameter(ParameterSetName='UsernamePassword')]
	[ValidateLength(1,255)]
	[string]$UserName,

	[Parameter(ParameterSetName='UsernamePassword')]
	[ValidateLength(1,255)]
	[string]$Password,

	[Parameter(ParameterSetName='Credential')]
	[pscredential]$Credential,

	[ValidateLength(1,255)]
	[string]$LogName = 'System',

	[ValidateSet('', 'Information', 'Warning', 'Error')]
	[string]$Type,

	[ValidateRange(0,65535)]
	[int]$EventID,

	[ValidateRange(0,720)]
	[int]$Hours = 1
	)

	function Get-RemoteEvent
	{
	[CmdletBinding(DefaultParameterSetName = 'UsernamePassword')]
	param
	(
	[ValidateLength(1,15)]
	[ValidateCount(1,65535)]
	[string[]]$ComputerName,

	[Parameter(ParameterSetName='UsernamePassword')]
	[ValidateLength(1,255)]
	[string]$UserName,

	[Parameter(ParameterSetName='UsernamePassword')]
	[ValidateLength(1,255)]
	[string]$Password,

	[Parameter(ParameterSetName='Credential')]
	[pscredential]$Credential,

	[ValidateLength(1,255)]
	[string]$LogName = 'System',

	[ValidateSet('', 'Information', 'Warning', 'Error')]
	[string]$Type,

	[ValidateRange(0,65535)]
	[int]$EventID,

	[ValidateRange(0,720)]
	[int]$Hours = 1
	)

	Write-Verbose -Message "ParSet='$($PSCmdlet.ParameterSetName)'"


	$startTime = (Get-Date).AddHours(-$Hours)

	if ($Type)
	{
	$events = Get-EventLog -ComputerName $ComputerName -LogName $LogName -After $startTime -EntryType $Type
	}
	else
	{
	$events = Get-EventLog -ComputerName $ComputerName -LogName $LogName -After $startTime
	}

	if ($EventID)
	{
	$events = $events \| Where-Object {$_.EventID -eq $EventID}
	}

	$events
	}

	if ($PSBoundParameters.Count)
	{
	$PSBoundParameters.Count
	Get-RemoteEvent @PSBoundParameters
	}

	break





	#Get all events from computers in $computers variable from System event log (default log) from last 1 hour (default)
	Get-RemoteEvent -ComputerName $computers \| Sort-Object -Property TimeGenerated, MachineName \| Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize



	#Get all events from computers in $computers variable from System event log (default log) from last 100 hours
	Get-RemoteEvent -ComputerName $computers -Hours 100 \| Sort-Object -Property TimeGenerated, MachineName \| Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize



	#Get all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000
	Get-RemoteEvent -ComputerName $computers -Hours 100 -EventID 1000 \| Sort-Object -Property TimeGenerated, MachineName \| Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize



	#Get all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1 using clear text username password (will not be used over the network but merely used for creating credentials used for cmdlet)
	Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 100 -UserName 'Contoso\Administrator' -Password 'Somepass1' \| Sort-Object -Property TimeGenerated, MachineName \| Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize



	#Get all events from computers in $computers variable from System event log (default log) from last 100 hours with event ID 1000 using a pre-generated credentials object
	$cred = New-Object pscredential('Contoso\Administrator', ('Somepass1' \| ConvertTo-SecureString -AsPlainText -Force))
	Get-RemoteEvent -ComputerName $computers -EventID 1000 -Hours 10 -Credential $cred \| Sort-Object -Property TimeGenerated, MachineName \| Format-Table -Property MachineName, TimeGenerated, EventID, EntryType, Source, Message -AutoSize