-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathCreate-EventViewerCustomViews.ps1
100 lines (82 loc) · 4.29 KB
/
Create-EventViewerCustomViews.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#Requires -Version 5 -RunAsAdministrator
<#
.SYNOPSIS
Create-EventViewerCustomViews - Creates local event viewer custom view files based on Palantir's WEF Github repo
.DESCRIPTION
Palantir have a great Github repo that contains WEF (Windows Event Forwarding) subscriptions to be created on
a WEC (Windows Event Collector) server. They've done the hard work of setting up event log filters
to capture various events. https://github.com/palantir/windows-event-forwarding
I'd recently been wondering if it was possible to push out custom Event Viewer views, and at the same time
decided I'd like to leverage the work Palantir had done with WEF/WEC to create custom view files
that allow you to filter local or remote event logs using Event Viewer.
Rather than create these views manually, this script does the following:
1. Downloads the Palantir 'windows-event-forwarding' repo in ZIP format
2. Extracts the Event Log query out of each file in the 'wef-subscriptions' folder, and
turns it into a custom Event Viewer view (XML) file in %PROGRAMDATA%\Microsoft\Event Viewer\Views
YMMV with this, as I couldn't test the actual outbound connectivity and download functionality on my work
laptop. My Windows Firewall policies don't allow PowerShell to communicate out to the Internet. I have, however,
tested the script from line #63 onwards.
Needs to be run as an admin in order to create the view files in %PROGRAMDATA%, unless you change the
output path in the $templateStoragePath variable
.OUTPUTS
Places custom view files into %PROGRAMDATA%\Microsoft\Event Viewer\Views
.EXAMPLE
Create-EventViewerCustomViews.ps1
.LINK
https://github.com/dstreefkerk/PowerShell/blob/master/Create-EventViewerCustomViews.ps1
.NOTES
Written By: Daniel Streefkerk
Website: http://daniel.streefkerkonline.com
Twitter: http://twitter.com/dstreefkerk
Todo: Nothing at the moment
Change Log
v1.0, 07/11/2017 - Initial version
#>
# Download URL for the Palantir windows-event-forwarding Repo on Github
$repoZipURL = 'https://codeload.github.com/palantir/windows-event-forwarding/zip/master'
# Location in which to create the custom Event Viewer views
$templateStoragePath = Join-Path $env:ProgramData 'Microsoft\Event Viewer\Views'
$xmlTemplate = @"
<ViewerConfig>
<QueryConfig>
<QueryParams>
<UserQuery />
</QueryParams>
<QueryNode>
<Name>{NAMEHERE}</Name>
<Description>{DESCRIPTIONHERE}</Description>
{QUERYLISTHERE}
</QueryNode>
</QueryConfig>
</ViewerConfig>
"@
# Temporary storage location for the downloaded Palantir WEF
$tempFile = (Join-Path $env:temp 'wef-repo.zip')
Remove-Item $tempFile -Force -ErrorAction SilentlyContinue
# Download the Repo, but it requires TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri $repoZipURL -OutFile $tempFile
# https://stackoverflow.com/questions/8095638/how-do-i-negate-a-condition-in-powershell
if (-Not (Test-Path $tempFile)) {
throw "Couldn't locate the downloaded Repo ZIP file. You could manually download it at $repoZipURL and save it as $tempFile"
}
# Expand the ZIP file to a temporary folder
$tempFolder = (Join-Path $env:temp 'wef-repo')
Expand-Archive $tempFile -DestinationPath $tempFolder -Force
# Get our list of WEF Subscription files
$subscriptionFiles = Get-ChildItem (Join-Path $tempFolder 'windows-event-forwarding-master\wef-subscriptions\*.xml') -File
foreach ($file in $subscriptionFiles) {
# Grab a copy of our custom Event Log view template XML
$eventXml = $xmlTemplate
# Convert the repo subscription file to XML
$fileXml = [xml](Get-Content $file.FullName)
# For test
"Processing: " + $file.Name
# Insert the info from the repo subscription file into our template
$eventXml = $eventXml.Replace('{NAMEHERE}',$filexml.Subscription.SubscriptionId)
$eventXml = $eventXml.Replace('{DESCRIPTIONHERE}',$filexml.Subscription.Description)
$eventXml = $eventXml.Replace('{QUERYLISTHERE}',$filexml.Subscription.Query.InnerText)
# Write our populated template variable out to a custom view XML file
$outputPath = Join-Path $templateStoragePath "CUSTOMVIEW - $($filexml.Subscription.SubscriptionId).xml"
$eventXml | Out-File -FilePath $outputPath -Force
}