forked from jdhitsolutions/PSScriptTools
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathConvert-EventLogRecord.ps1
More file actions
103 lines (91 loc) · 3.83 KB
/
Copy pathConvert-EventLogRecord.ps1
File metadata and controls
103 lines (91 loc) · 3.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
Function Convert-EventLogRecord {
[cmdletbinding()]
[alias("clr")]
Param(
[Parameter(Position = 0, Mandatory, ValueFromPipeline)]
[ValidateNotNullorEmpty()]
[System.Diagnostics.Eventing.Reader.EventLogRecord[]]$LogRecord
)
Begin {
Write-Verbose "[BEGIN ] Starting: $($MyInvocation.Mycommand)"
} #begin
Process {
foreach ($record in $LogRecord) {
Write-Verbose "[PROCESS] Processing event id $($record.ID) from $($record.logname) log on $($record.machinename)"
Write-Verbose "[PROCESS] Creating XML data"
[xml]$r = $record.ToXml()
$h = [ordered]@{
LogName = $record.LogName
RecordType = $record.LevelDisplayName
TimeCreated = $record.TimeCreated
ID = $record.Id
}
if ($r.Event.EventData.Data.Count -gt 0) {
Write-Verbose "[PROCESS] Parsing event data"
if ($r.Event.EventData.Data -is [array]) {
<#
I only want to enumerate with the For loop if the data is an array of objects
If the data is just a single string like Foo, then when using the For loop,
the data value will be the F and not the complete string, Foo.
#>
for ($i = 0; $i -lt $r.Event.EventData.Data.count; $i++) {
$data = $r.Event.EventData.data[$i]
#test if there is structured data or just text
if ($data.name) {
$Name = $data.name
$Value = $data.'#text'
}
else {
Write-Verbose "[PROCESS] No data property name detected"
$Name = "RawProperties"
#data will likely be an array of strings
[string[]]$Value = $data
}
if ($h.Contains("RawProperties")) {
Write-Verbose "[PROCESS] Appending to RawProperties"
$h.RawProperties += $value
}
else {
Write-Verbose "[PROCESS] Adding $name"
$h.add($name, $Value)
}
} #for data
} #data is an array
else {
$data = $r.Event.EventData.data
if ($data.name) {
$Name = $data.name
$Value = $data.'#text'
}
else {
Write-Verbose "[PROCESS] No data property name detected"
$Name = "RawProperties"
#data will likely be an array of strings
[string[]]$Value = $data
}
if ($h.Contains("RawProperties")) {
Write-Verbose "[PROCESS] Appending to RawProperties"
$h.RawProperties += $value
}
else {
Write-Verbose "[PROCESS] Adding $name"
$h.add($name, $Value)
}
}
} #if data
else {
Write-Verbose "[PROCESS] No event data to process"
}
$h.Add("Message", $record.Message)
$h.Add("Keywords", $record.KeywordsDisplayNames)
$h.Add("Source", $record.ProviderName)
$h.Add("Computername", $record.MachineName)
Write-Verbose "[PROCESS] Creating custom object"
New-Object -TypeName PSObject -Property $h
} #foreach record
} #process
End {
Write-Verbose "[END ] Ending: $($MyInvocation.Mycommand)"
} #end
}