-
Notifications
You must be signed in to change notification settings - Fork 7
/
etl-to-evtx.ps1
153 lines (137 loc) · 5.49 KB
/
etl-to-evtx.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
write-host "`n...........................................`n"
write-host "@ACALARCH Convert .ETL to WEF subscribable log"
write-host ' Requires CSV in "C:\Windows\Temp\pathstopull.txt"'
write-host ' ......CSV Format Example......'
write-host " C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Trace.etl, CUST_WMITRACE"
write-host ' ......END EXAMPLE......'
write-host "...........................................`n"
start-sleep -s 1
$logz = ""
function load-etl {
try{
write-host "Attempting to read CSV at "C:\Windows\Temp\pathstopull.txt""
$filehash = get-filehash "C:\Windows\Temp\pathstopull.txt" -ErrorAction Stop
$filehash = $filehash.Hash
$b = import-csv "C:\Windows\Temp\pathstopull.txt" -header Path,Name -ErrorAction Stop
}
catch
{
write-host -foregroundcolor RED "Unable to load CSV at "C:\Windows\Temp\pathstopull.txt""
write-host -foregroundcolor RED "EXITING"
exit
}
$logz = @()
write-host -foregroundcolor cyan "Attempting to load etl sources and preparing destination logs"
foreach($source in $b){
$alive = "ALIVE"
Try{
get-winevent -Oldest -Path $source.Path -ErrorAction Stop | out-null
Get-WinEvent -ListLog $source.Name -ErrorAction Stop | out-null
}
Catch
{
$pathexists = test-path $source.path
write-host checking if path to log exists
if(-Not $pathexists)
{
write-host -foregroundcolor RED "Following Log Does Not Exist or is Inaccessible, Logs Will Not Be Converted, Maybe Ensure The Log Is Enabled?:" $source.path
$alive = "DEAD"
}
else{
$exceptional = $_.Exception.Message.ToString()
if($exceptional -like 'There is not an event log on the localhost computer that matches*')
{
try{
new-eventlog -source $source.Name -logname $source.Name -erroraction Stop | out-null
write-host "created event:" $source.Name
}
catch
{
write-host unable to create log $source.Name, windows looks at only the first 8 chars for custom logs, so please ensure name does not conflict
write-host Logs Will Not Be Converted for: $source.Name
$alive = "DEAD"
}
}
}
}
$log = New-Object -TypeName PSObject
$log | Add-Member -Type NoteProperty -Name Path -Value $source.Path
$log | Add-Member -Type NoteProperty -Name Name -Value $source.Name
if($alive -eq "DEAD"){
$log | Add-Member -Type NoteProperty -Name Enabled -Value "false"
}
else{
$log | Add-Member -Type NoteProperty -Name Enabled -Value "true"
}
$log | Add-Member -Type NoteProperty -Name LastUpdate -Value "No new logs"
if($alive -eq "ALIVE"){
$logz += $log
}
}
$returns += $logz
$returns += $filehash
return $returns
}
$return = load-etl
$logz = @()
for($i=0; $i -lt ($return.Length - 1); $i++)
{
$logz += $return[$i]
}
$filehash = $return[$return.Length -1]
foreach($log in $logz){
if($log.Enabled = "true"){
write-host "Loaded Source:" $log.Path
}
}
write-host "`n"
$lastlogtime = "No new logs"
$count = 0
while($true){
if($count -eq 6){
$count = 0
write-host -foregroundcolor Gray "Checking for updates"
try{
$filehashnow = get-filehash "C:\Windows\Temp\pathstopull.txt" -erroraction STOP
$filehashnow = $filehashnow.Hash
}
catch{
$filehashnow = "NOPE"
}
if(($filehashnow -ne $filehash) -and ($filehashnow -ne "NOPE")){
$return = load-etl
$logz = @()
for($i=0; $i -lt ($return.Length - 1); $i++)
{
$logz += $return[$i]
}
$filehash = $return[$return.Length -1]
}
}
$count = $count + 1
$a = get-date
write-host -foregroundcolor "cyan" "Checking Logs"
foreach($log in $logz){
write-host -foregroundcolor "green" " Checking logs for:" $log.Path
$mylogs = $null
if($log.LastUpdate -eq "No new logs")
{
$mylogs = get-winevent -Oldest -Path $log.Path | where-object {$_.TimeCreated -gt $a.AddMinutes(-1)}
}
else{
$mylogs = get-winevent -Oldest -Path $log.Path | where-object {$_.TimeCreated -gt $log.LastUpdate}
}
if($mylogs -is [system.array]){
$log.LastUpdate = $mylogs[$mylogs.Length - 1].TimeCreated
write-host " ...Converted" $mylogs.Length "logs"
write-host " ...Latest log was at:" $log.LastUpdate
$mylogs | foreach-object {$message = $_.Message + ";`n`nTime = " + $_.TimeCreated + "`nLevel = " + $_.Level + "`nMachineName = " + $_.MachineName + "`nProcessId = " + $_.ProcessId + "`nThreadId = " + $_.ThreadId + "`nUserId = " + $_.UserId + "`nCount = " + $count; Write-EventLog -LogName $log.Name -Source $log.Name -EventId $_.Id -Message $message}; $count = $count + 1; Start-Sleep -m 5
}
else{
write-host " ...No new logs to convert"
write-host " ...Latest log was at:" $log.LastUpdate
}
}
write-host -foregroundcolor "cyan" "Sleeping for 15 seconds`n"
start-sleep -s 15
}